This is my original code to upload text files in my website:
<?php
$myFile = $_GET['myFile'];
$fh = fopen($myFile, 'w') or die("can't open file");
$stringData = $_GET['stringData'];
fwrite($fh, $stringData);
fclose($fh);
?>
Is it secure enough for you or should I use something like this:
<?php
if (isset($_GET['myFile'])) {
$myFile = basename($_GET['myFile']);
$fh = fopen($myFile, 'w') or die("can't open file");
}
$stringData = $_GET['stringData'];
fwrite($fh, $stringData);
fclose($fh);
?>
First code does not upload files to your server, it just creates a text file with the name and content specified in the client's side.
The second code can fail, if you do not specify the value of myFile: The second part will try to write in a file that was never created.
you basically allow to upload any file to current directory....
For example upload a php scripts that does whatever attacker wants
No... you should never write code like that.