why does this simple counter fail?

[Ryan Coleman]

On Mar 23, 2011, at 12:14 PM, Paul Macdonald wrote:

> On 23/03/2011 16:45, Gary Kline wrote:
>> 	Guys,
>> 
>> 	Can any of you php hackers tell me why this simple self-hacked
>> 	counter bomb?
>> 
>> 	appended.
>> 
>> 	tia.
> $file doesn't look to be set anywhere
> 
> if its a web script ( as opposed to cmd line cli) tyhen its probably passed as a POST or GET variable.,
> 
> register_globals needs to be on for this variable to be auto set,
> 
> if the form is submitted via POST,  change script to:
> 
> $directory="./countdir/";
> $file=$_POST['file'];
> ....
> 
> if the form is submitted via GET (you'd see the file=variable in the address bar),  change script to:
> 
> $directory="./countdir/";
> $file=$_GET['file'];
> ....
> 
> Of course you want to sanitise this $file variable so that it can't be hacked.

Additionally you could do:

$file = $_SERVER['PHP_SELF'];

Which will tie the filename to the actual PHP file.

But you might want to do something like...

$file = urlencode($_SERVER['REQUEST_URI']).".txt";

to make it the full url, safe vars for file names and add .txt to make it readable in other things not FreeBSD.