How can I tell the PHP to save a file in a specific folder when using $_POST to attribute the filename?
Question
I'm having some trouble getting my script to save a file in a particular folder, normally the syntax would call for quotes around the entire path but because I'm using $_POST to name the file it just doesn't work out that way. So far this is what I have.
<?php ini_set('display_errors','on'); ?><?php
$fileName= fopen("Submissions/".$_POST['first_name'],'w');
$data= "";
foreach ($_POST as $key => $value) {
$data.= str_replace("_"," ",$key).":\n\n ". $value."\n\n\n\n"; preg_replace("/[^ 0-9a-zA-Z]/", "_", $value);
}
fwrite($fileName, $data);
fclose($fileName);
?>
1 answers
solution1
1 ACCPTED 2015-11-16 02:04:27
You have several problems. First, you have syntax errors. Second, you have serious security vulnerabilities.
Let's start with the first syntax errors. This line:
$fileName= fopen(Submissions/$_POST['first_name'],'w');
Is invalid. You want to use string concatenation, like this:
$fileName= fopen("Submissions/" . $_POST['first_name'],'w');
But that's a huge security vulnerability. If $_POST['first_name'] is something bad like ../../../etc/passwd , you could be in for a world of hurt.
Then there's this:
fwrite(Submissions/$fileName, $data);
That's invalid syntax (again, string concatenation) and, again, insecure. It's also just wrong. You need a file resource, not a path name, as the first parameter.
In both of these places, you must validate the data before using it this way. Otherwise, expect to get hacked repeatedly.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.