Simple text upload script

ddrfreek

if ( $_POST['type'] == "editor" )
	{
	$fh = fopen("doghousecomics/dhcstylesheet.css", "w");
	fwrite ($fh, $_POST['style']);
	fclose($fh);
	header("Location: member/styleeditor.php");
	exit();
	}

For some reason, nothing about that works. I know for a fact that the if returns true, but neither the file overwrite nor the redirect are working. Could it be a problem with my path references? Or my server configuration? I've made sure the permission on that file is 777.

NogDog

Throw in some defensive coding and error reporting, and I'm sure you'll find an answer:

ini_set('display_errors', 1);
error_reporting(E_ALL);
if ( $_POST['type'] == "editor" )
{
   if(is_dir("doghousecomics"))
   {
      if(is_writable("doghousecomics"))
      {
         if($fh = fopen("doghousecomics/dhcstylesheet.css", "w"))
         {
            if(!fwrite ($fh, $_POST['style']))
            {
               user_error("fwrite() error", E_USER_WARNING);
            }
            fclose($fh);
         }
         else
         {
            user_error("fopen() error", E_USER_WARNING);
         }
      }
      else
      {
         user_error("directory is not writable", E_USER_WARNING);
      }
   }
   else
   {
      user_error("directory not found", E_USER_WARNING);
   }
   header("Location: member/styleeditor.php");
   exit();
}

atokatim

on my server, i had to put the full path to the folder in order for it to open and write.

"/srv/www/htdocs/doghousecomics/dhcstylesheet.css"

ddrfreek

Wow, thanks NogDog. Apparently, the overwrite works now, the only thing that doesn't is the header. Is it because the page I'm trying to use it on already has an HTML header?

Atokatim, that's helped me out before, actually, but in this case it doesn't seem like I needed it. The overwrite is working now.

ddrfreek

Also, this stylesheet that it's writing to will be included in the necessary pages via an html link href. Do I have to worry at all about someone being able to insert malicious code? I'm not sure if it's possible since it's purely a css file.

ddrfreek

Also, one last thing. How would I integrate stripslashes into the POST array?

Edit: Nevermind, I just did

$post = stripslashes($_POST['text']);
   if(is_dir("$direct"))
   {
      if(is_writable("$direct"))
      {
         if($fh = fopen($direct.'/'.$file, "w"))
         {
            if(!fwrite ($fh, $post))
            {
               user_error("fwrite() error", E_USER_WARNING);
            }
            fclose($fh);

and it works. However, I still need to know about vulnerability.