Redredc Posted February 28, 2015 Share Posted February 28, 2015 Hey, guys. I'm having trouble with something, and I'm hoping you can help. I'm trying to have it to where you can edit files directly on the website itself. But the problem is, is when I go to edit them, I get an error, and it immediately takes me to my error 403 page that I've set up. So I changed it to permission 777 (and then immediately changed it back afterward, it is now on 644) to see if that was the problem, but I got the same result every time. I was hoping you could take a look at my code, and see if you could tell me what's happening. $edit=$_POST['edit']; $page=$_POST['page']; $file=fopen($page,'w'); if(!mysql_query($file)){ die('Error: '.mysql_error()); } else fwrite($file,$page); Please let me know if you can figure out the problem. And I've also tried removing the 4th 5th and 6th line to see if that was the problem, but still nothing has changed. Link to comment Share on other sites More sharing options...
Ingolme Posted February 28, 2015 Share Posted February 28, 2015 What are you passing to the $page variable? Is it a URL or a local file path? Link to comment Share on other sites More sharing options...
Redredc Posted March 1, 2015 Author Share Posted March 1, 2015 It's a local file path. I tried editing my index.php (which is one folder backwards, so it's "../index.php") page. It's a series of three links (because I couldn't find any other way to do it) and I can show you the coding for each of them. Link to comment Share on other sites More sharing options...
Ingolme Posted March 1, 2015 Share Posted March 1, 2015 When you echo $page what do you see? fwrite() shouldn't show a 403 page when it fails, it should just show a PHP error. Link to comment Share on other sites More sharing options...
Redredc Posted March 3, 2015 Author Share Posted March 3, 2015 I see "../index.php". I'll just show you every bit of coding: ---/admin/pages.php--- echo'<form action="edit_page.php" method="get"> <p>Type in a url (this site only) starting with "../" and type the rest in as if you were doing a self-hosted link. For example: "../index.php"</p> <input type="text" name="url"/> <input type="submit" value="Edit Page"/> </form>'; ---/admin/edit_page.php--- $url=$_GET['url']; $edit=fopen(''.$url.'','r') or die('Unable to open file.'); $read=fread($edit,filesize($url)); echo'<form action="confirm_edit.php" method="post"> <textarea width="90%" height="200px" name="edit"> '.$read.' </textarea><br/> You are currently editing: <input type="text" name="page" value="'.$url.'"/> <input type="submit" value="Edit Page"/> </form>'; ---/admin/confirm_edit.php--- $edit=$_POST['edit']; $page=$_POST['page']; $file=fopen($page,'w'); if(!mysql_query($file)){ die('Error: '.mysql_error()); } else fwrite($file,$page); Link to comment Share on other sites More sharing options...
Ingolme Posted March 3, 2015 Share Posted March 3, 2015 Why are you passing the file handler to a mysql_query() function? mysql_query() is going to fail because you haven't opened a connection and $file is not a valid SQL string. Link to comment Share on other sites More sharing options...
justsomeguy Posted March 3, 2015 Share Posted March 3, 2015 Yikes, a form that lets people read, and then write, any file which PHP has access to? That's the #1 easiest way to completely compromise a server, so hopefully you have that locked down pretty tight. Link to comment Share on other sites More sharing options...
Redredc Posted March 3, 2015 Author Share Posted March 3, 2015 Why are you passing the file handler to a mysql_query() function? mysql_query() is going to fail because you haven't opened a connection and $file is not a valid SQL string. Like I said earlier in my first post, I removed those lines to see if that was the problem, which it wasn't. As for the connection, I have connected it to my server's database. I'm only showing you the necessary code for what you should need to figure this out. If you want, I can show you the code for how I'm doing it. Yikes, a form that lets people read, and then write, any file which PHP has access to? That's the #1 easiest way to completely compromise a server, so hopefully you have that locked down pretty tight. Don't worry. I have it coded to where it's only visible to me. For each portion of coding, I put in: if(isset($_SESSION['user']) && $_SESSION['user']=='Redredc'){ (insert text here) } else echo'You do not have the correct access to enter this page! <a onClick="goBack()" style="color:blue;">Click Here</a> to go back, or <a href="/index.php">Click Here</a> to return home.'; Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now