I wrote the following code, and I am wondering if there is a better way to do what I want.
Basically, the code reads a few files and writes HTML forms to edit each of them. I am sending the file name via POST data, but it seems like a security risk to do that.
Is there a better or proper way to do what I'm doing?
Code:
<?php
foreach (glob('*.html', GLOB_NOSORT) as $file) {
echo '<form action="write.php">';
echo '<textarea name="' . basename($file, '.html') . '" cols="80" rows="20">' . file_get_contents($file) . '</textarea>';
echo '<input type="hidden" name="file" value="' . $file . '"><br><br>';
echo '<input type="submit" value="Save Edit"><br><br>';
}
?>
Let's ignore for the moment that you're letting a user edit server side files. I'm just going to assume that you have sorted out all the authentication/authorization/injection issues and the only problem you have left is the file name.
So, you don't want the user knowing/monkeying around with your file names. Instead of writing the name to the page, generate a long and random token that you associate with the file being edited. Then when the post comes back, look up the token and you know what file is being edited. If you get back a token you do not recognize, you can drop the request. From the HTML side, all that the user sees is an opaque token. The file name never leaves your server.
Now that we have that out of the way, go back to paragraph one and make sure that you have all those boxes checked. There are potentially much worse problems than a file name here.
Client-side security/validation must always be built on top of robust server-side equivalents. And if you can't afford both, only the latter is mandatory.
If your backend code looks like this:
$fp = fopen($_POST['file'], 'w');
fwrite($fp, $_POST[basename($_POST['file'], '.html')]);
fclose($fp);
... the real problem is that you provide write-access to your complete hard disk. It's the equivalent of storing your SQL queries in forms.