fread space problem

[Truly]

Hi guys (and girls).I am having some problem with 'fread.' I created the original file in Notepad and saved it as a '.txt' file. Nothing special about the file I just typed and then uploaded it. When I viewed it on the site though there is a whole bunch of spaces in front of the text. And every time I update the text via the web script I made the space gets even larger. Its not just adding blank spaces to the file though because the file has not (visibly) changed. Below is my code, any help would be appreciated.This is where the information is written to the file

$fh = fopen($_POST[Olink], 'w') or die("Unable to open the file for editing!");$code = $_POST['pagecode'];fwrite($fh, $code);fclose($fh);

This is where the information is being read from the fiel and outputted (into a html textarea if that makes any difference)

$fname = fopen($olink, "r") or exit ("Unable to open the file for editing!");echo fread($fname, filesize($olink));fclose($fname);

Thanks,Truly.EDIT:I actually have another problem that is tied into this. If I am creating a file from index.php it is going to put the newly created file in the same directory as index.php. My question is how do i have it create the file in the root directory? Or at least a directory higher up.

[justsomeguy]

First, let me just point out that the code you posted opens a major security hole on the server. That code is set up to write arbitrary data to an arbitrary file, it would be really easy to overwrite the password file with whatever you want, or the .htaccess file for that matter, or even create a new PHP script on the server to run any code you wanted. There is no validation that takes place to figure out if the file should be written to, or if the data to write is not malicious. If you want to put that code online and post a link, I'll be happy to post a link that takes advantage of the security hole.That being said, there's nothing in the code that would explain the additional spaces. The code is standard code to read and write a file, there's nothing there that would indicate what the problem is. The first step would be to open the text file and look at the contents of it. But you're just writing a value from $_POST, so without knowing what you are writing it's hard to say what the problem might be.If you want to create a file in the parent directory, you would use the path ../ to point there. If you want to create a file in the root of the webserver, start the path with a slash.

[Truly]

Wow I didnt even think about that, although this is a backend feature for admin only even not considering the security aspect it opens wholes for loads of accidents or problems in general. Maybe you can help me come up with a better way of doing it.I am making a CMS just for fun and practice and this page allows people to create and edit pages on the website. Is it even possible to do that securely . What I was thinking was to make it so that you could only choose the file name of a new file and it would automatically put it into a specific file, one that would only contain other user created pages. And then to edit the pages it could have a dropdown box so that you can only pick files that are out of that one specific directory. What are your thoughts on that?As for the changing directories that worked fine, I tried that before but I think I did /../ instead of just ../. And I will have to look at my code more for the extra spaces, still cant figure that one out.

[justsomeguy]

If you're creating pages that people set up, probably just ask them for a filename. Store all files in a certain directory, so check the filename for slashes to figure out if it is valid or not. If it contains slashes then it is a directory, and you would want to show an error. Instead just ask them for a name and save all the pages in the same folder. The other problem is how to check for PHP code. You probably wouldn't want them running PHP, or else they could just upload a PHP script that would do whatever they wanted. If that is the case, you can check for the string "<?php" in the file, and give an error if it's there. You would also need to check if the short tags config option is on, which would be ini_get("short_open_tag"), and if it is, then also check for "<?" in the file. That would help ensure that they are only saving non-malicious files. Depending on the server, you might need to check for other extensions or languages.