Report, edit, etc...Posted by Pie_Sniper on 2006-02-11 at 19:27:53
CODE
Comment.php
<html>
<head>
<title>Comment</title>
</head>
<body>
<?php
$Read = "";
$Filename = "Data/" . $_GET['object'] . "Comments.txt";
$File = "";
function ReadComments()
{
global $Read, $File, $Filename;
$File = fopen( $Filename, "r" );
$Read = fread( $File, filesize( $Filename ) );
fclose( $File );
}
ReadComments();
echo "<pre style=\"font: 10pt courier new\">" . $Read . "</pre><br />";
?>
<form action="WriteComment.php" method="post">
<pre style="color: RGB( 128, 0, 128 ); font: 10pt courier new">Name<span style="color: RGB( 192, 192, 192 )">:</span> <input type="text" name="name" value="" /></pre>
<pre style="color: RGB( 0, 0, 128 ); font: 10pt courier new">Comment<span style="color: RGB( 192, 192, 192 )">:</span> <input type="text" name="comment" value="" /></pre>
<input type="text" name="object" value="welcome" style="display: none"/>
<input type="submit" value="Submit" />
</form>
</body>
</html>
<html>
<head>
<title>Comment</title>
</head>
<body>
<?php
$Read = "";
$Filename = "Data/" . $_GET['object'] . "Comments.txt";
$File = "";
function ReadComments()
{
global $Read, $File, $Filename;
$File = fopen( $Filename, "r" );
$Read = fread( $File, filesize( $Filename ) );
fclose( $File );
}
ReadComments();
echo "<pre style=\"font: 10pt courier new\">" . $Read . "</pre><br />";
?>
<form action="WriteComment.php" method="post">
<pre style="color: RGB( 128, 0, 128 ); font: 10pt courier new">Name<span style="color: RGB( 192, 192, 192 )">:</span> <input type="text" name="name" value="" /></pre>
<pre style="color: RGB( 0, 0, 128 ); font: 10pt courier new">Comment<span style="color: RGB( 192, 192, 192 )">:</span> <input type="text" name="comment" value="" /></pre>
<input type="text" name="object" value="welcome" style="display: none"/>
<input type="submit" value="Submit" />
</form>
</body>
</html>
CODE
WriteComment.php
<?php
$Name = $_POST['name'];
$Comment = $_POST['comment'];
$Object = $_POST['object'];
$Write = "\n<span style=\"color: RGB( 128, 0, 128 )\">" . $Name . "</span><span style=\"color: RGB( 192, 192, 192 )\">:</span> " . "<span style=\"color: RGB( 0, 0, 128 )\">" . $Comment . "</span>";
$Read = "";
$Filename = "Data/" . $Object . "Comments.txt";
$File = "";
$Redirect = "Location: Comment.php?object=" . $Object;
$File = fopen( $Filename, "r" );
$Read = fread( $File, filesize( $Filename ) );
fclose( $File );
$Read .= $Write;
$File = fopen( $Filename, "w" );
fwrite( $File, $Read );
fclose( $File );
header( $Redirect );
?>
<?php
$Name = $_POST['name'];
$Comment = $_POST['comment'];
$Object = $_POST['object'];
$Write = "\n<span style=\"color: RGB( 128, 0, 128 )\">" . $Name . "</span><span style=\"color: RGB( 192, 192, 192 )\">:</span> " . "<span style=\"color: RGB( 0, 0, 128 )\">" . $Comment . "</span>";
$Read = "";
$Filename = "Data/" . $Object . "Comments.txt";
$File = "";
$Redirect = "Location: Comment.php?object=" . $Object;
$File = fopen( $Filename, "r" );
$Read = fread( $File, filesize( $Filename ) );
fclose( $File );
$Read .= $Write;
$File = fopen( $Filename, "w" );
fwrite( $File, $Read );
fclose( $File );
header( $Redirect );
?>
Now, all I'm looking for is a way to set the "object" text input's value to the PHP variable $_GET['object'].
Report, edit, etc...Posted by Doodle77(MM) on 2006-02-11 at 19:49:16
CODE
<input type="text" name="object" style="display: none" value="<?php echo $_GET['object']; ?>" />
Youre writing dangerous code. You need to prevent against putting /../../ as the object.
Report, edit, etc...Posted by Pie_Sniper on 2006-02-11 at 20:07:56
You mean to prevent people from manually putting ?object=whatever and messing something up? $_GET['object'] is used to make the $Filename = Data/$ObjectComments.txt in both .php files. Is it dangerous to try and access Data/DoesNotExistComments.txt or Data/../../Comments.txt or something? I can assure you that no files other than the files in Data/ have the word "Comments" in them.
:: Edit
I found that it will create files if you use a non-existant object.
:: Edit
I found that it will create files if you use a non-existant object.
Report, edit, etc...Posted by Doodle77(MM) on 2006-02-11 at 20:36:14
I know, but its still just not a great idea to let people write files all over your harddrive.
Report, edit, etc...Posted by Pie_Sniper on 2006-02-11 at 20:38:41
He he he. I think I will have an object list and check $_GET['object'] to make sure it is in the list.
:: Edit
Well, that's not working. How should I make sure it's one of my objects without having a giant if statement? And if it's not there, what should I do? I won't let you redirect if there is already HTML on the screen.
:: Edit
Well, that's not working. How should I make sure it's one of my objects without having a giant if statement? And if it's not there, what should I do? I won't let you redirect if there is already HTML on the screen.
Report, edit, etc...Posted by Doodle77(MM) on 2006-02-11 at 21:07:43
CODE
$Objlist = "Bsadf
fdjak
afjgj
ork
odafs
dgnna
maliwj
nbabw
hgayu
iiiie
anakj
ndjew
njfnke";
if (strpos($Objlist,$_GET['object']) === FALSE) {
die();
}
Dieing will stop the rest of the php from being executed.
Report, edit, etc...Posted by Shmeeps on 2006-02-11 at 21:22:13
If you want to check if the file exdists, then use
if(file_exists($file))
Only problem is if they use a file in a different folder.
You could store file names in a MySQL database, retrieve them, use mysql_fetch_array, then go through the array and see if the object matches any entries.
You could also do this by manually constructing the array.
For instance.
//get objectname
$object = $_GET['object'];
//get object names to check (MANUAL)
$objects = array();
$objects[1] = "rawr.txt";
$objects[2] = "moo.txt";
//get object names to check (MYSQL)
$o = 0;
$query = mysql_query("SELECT * FROM `Objects`");
while($row = mysql_fetch_array($query, MYSQL_ASSOC))
{
$objects[$o] = $row['Object'];
}
$i = 0;
//Foreach (Works?)
foreach($objects as $val)
{
if($val == $object)
{
//write
}
}
//or While
$o = count($objects);
while($i < $o)
{
if($objects[$i] == $object)
{
//write
}
$i++;
}
This is all off the top of my head, so, yeah.
CODE
if(file_exists($file))
Only problem is if they use a file in a different folder.
You could store file names in a MySQL database, retrieve them, use mysql_fetch_array, then go through the array and see if the object matches any entries.
You could also do this by manually constructing the array.
For instance.
CODE
//get objectname
$object = $_GET['object'];
//get object names to check (MANUAL)
$objects = array();
$objects[1] = "rawr.txt";
$objects[2] = "moo.txt";
//get object names to check (MYSQL)
$o = 0;
$query = mysql_query("SELECT * FROM `Objects`");
while($row = mysql_fetch_array($query, MYSQL_ASSOC))
{
$objects[$o] = $row['Object'];
}
$i = 0;
//Foreach (Works?)
foreach($objects as $val)
{
if($val == $object)
{
//write
}
}
//or While
$o = count($objects);
while($i < $o)
{
if($objects[$i] == $object)
{
//write
}
$i++;
}
This is all off the top of my head, so, yeah.
Report, edit, etc...Posted by Doodle77(MM) on 2006-02-11 at 21:40:17
I hate mysql. -.-
Report, edit, etc...Posted by Pie_Sniper on 2006-02-11 at 21:57:52
Hmm, what's going wrong here?
With ?object=Welcome. cChess, Console, CToken, and UI all work, and Welcome will work if I move it, and that causes cChess to stop working. So, the top line doesn't work?
Well, I just put a blank line above Welcome, but still, why wouldn't it work without that? Oh, and how do I make sure aren't doing ?object=Wel or ?object=come and stuff. It still lets them do that.
CODE
Comment.php
<?php
$Read = "";
$Filename = "Data/Objects.txt";
$File = "";
function CheckObject()
{
global $Read, $File, $Filename;
$File = fopen( $Filename, "r" );
$Read = fread( $File, filesize( $Filename ) );
if( strpos( $Read, $_GET['object'] ) == FALSE )
{
fclose( $File );
return FALSE;
}
else
{
fclose( $File );
return TRUE;
}
}
function ReadComments()
{
global $Read, $File, $Filename;
$Filename = "Data/" . $_GET['object'] . "Comments.txt";
$File = fopen( $Filename, "r" );
$Read = fread( $File, filesize( $Filename ) );
fclose( $File );
}
if( CheckObject() )
{
ReadComments();
echo "<pre style=\"font: 10pt courier new\">" . $Read . "</pre><br />";
}
else
{
echo "Death from above";
die();
}
?>
<?php
$Read = "";
$Filename = "Data/Objects.txt";
$File = "";
function CheckObject()
{
global $Read, $File, $Filename;
$File = fopen( $Filename, "r" );
$Read = fread( $File, filesize( $Filename ) );
if( strpos( $Read, $_GET['object'] ) == FALSE )
{
fclose( $File );
return FALSE;
}
else
{
fclose( $File );
return TRUE;
}
}
function ReadComments()
{
global $Read, $File, $Filename;
$Filename = "Data/" . $_GET['object'] . "Comments.txt";
$File = fopen( $Filename, "r" );
$Read = fread( $File, filesize( $Filename ) );
fclose( $File );
}
if( CheckObject() )
{
ReadComments();
echo "<pre style=\"font: 10pt courier new\">" . $Read . "</pre><br />";
}
else
{
echo "Death from above";
die();
}
?>
CODE
Data/Objects.txt
Welcome
cChess
Console
CToken
UI
Welcome
cChess
Console
CToken
UI
With ?object=Welcome. cChess, Console, CToken, and UI all work, and Welcome will work if I move it, and that causes cChess to stop working. So, the top line doesn't work?
Well, I just put a blank line above Welcome, but still, why wouldn't it work without that? Oh, and how do I make sure aren't doing ?object=Wel or ?object=come and stuff. It still lets them do that.
Report, edit, etc...Posted by Shmeeps on 2006-02-12 at 00:41:37
I don't quite understand your question.
But, then again, I'm really tired, so, yeah.
But, then again, I'm really tired, so, yeah.
Report, edit, etc...Posted by Doodle77(MM) on 2006-02-12 at 08:25:09
you see this line:
$Read = fread( $File, filesize( $Filename ) );
There is a function called file_get_contents that reads an entire file into a string.
if( strpos( $Read, $_GET['object'] ) == FALSE )
{
fclose( $File );
return FALSE;
}
Here you need to say === FALSE . That will make it so 0 will not be read as false. Thats your problem.
CODE
$Read = fread( $File, filesize( $Filename ) );
There is a function called file_get_contents that reads an entire file into a string.
CODE
if( strpos( $Read, $_GET['object'] ) == FALSE )
{
fclose( $File );
return FALSE;
}
Here you need to say === FALSE . That will make it so 0 will not be read as false. Thats your problem.
Report, edit, etc...Posted by Pie_Sniper on 2006-02-12 at 15:25:02
Okay, but strpos returns TRUE if it finds a fraction of something, like ?object=Wel will still create Data/WelComments.txt.
Report, edit, etc...Posted by Doodle77(MM) on 2006-02-12 at 17:44:06
CODE
if( strpos( $Read, ' ' . $_GET['object'] . ' ' ) == FALSE )
{
fclose( $File );
return FALSE;
}
{
fclose( $File );
return FALSE;
}
Use that and put a leading and trailing space in every object.
Report, edit, etc...Posted by Pie_Sniper on 2006-02-12 at 19:44:53
w00t. Now to stop this 
:
You could post a website the way it is set up.
I have to go, so I'll comment more later.
:You could post a website the way it is set up.
I have to go, so I'll comment more later.Report, edit, etc...Posted by Shmeeps on 2006-02-12 at 20:01:54
If you want to stop that a quick and easy way, use htmlspecialchars. It just turns it all into > & < ect, so it can't be used as HTML.
Report, edit, etc...Posted by Pie_Sniper on 2006-02-12 at 21:08:40
Muhahahaha my demon is now complete! Thanks a lot Shmeeps and Doodle77.
Report, edit, etc...Posted by RexyRex on 2006-02-13 at 18:42:34
readComments doesn't return anything, it only sets globals...so in other words, you don't need to make it a function. I'd just make it return $read to make life easier.
Report, edit, etc...Posted by Doodle77(MM) on 2006-02-13 at 20:18:30
Another note, die takes a string argument, so rather than saying
echo "death from above";
die();
you can say:
die("Death from above");
CODE
echo "death from above";
die();
you can say:
die("Death from above");
Report, edit, etc...Posted by Pie_Sniper on 2006-02-13 at 21:36:22
I like to seperate everything into functions, I picked it up since I started with C++. Might as well do that though; not like I really use them anywhere else. PHP functions are strange, don't they have a return value? Or can you just return whatever you want? Just like not having variable types. 
Report, edit, etc...Posted by RexyRex on 2006-02-13 at 23:01:29
For custom PHP functions, you must set a return value. Such as return $var;
Note that when returning a value, the function does not execute anything under that statement.
Also, exit() is the same as die() without any parameters. Probably has some minimalistic effect on execution time, like .00000000001.
Note that when returning a value, the function does not execute anything under that statement.
Also, exit() is the same as die() without any parameters. Probably has some minimalistic effect on execution time, like .00000000001.
Report, edit, etc...Posted by Pie_Sniper on 2006-02-13 at 23:16:13
I meant, in C++, you have to do this:
but in PHP, you just do
QUOTE
int Function()
{
int A = 5;
return A;
}
{
int A = 5;
return A;
}
but in PHP, you just do
QUOTE
function Something() //No return value type
{
$Var = 56; //No type
return $Var;
}
{
$Var = 56; //No type
return $Var;
}
Report, edit, etc...Posted by RexyRex on 2006-02-14 at 19:15:09
You can juggle types with functions like intval(), strval()...etc...
http://us3.php.net/manual/en/language.type...pe-juggling.php
http://us3.php.net/manual/en/language.type...pe-juggling.php