so now..is this secure?
this is the code:
Code: Select all
<?php
/**Made by Jordan Earls...
it depends on you to send a valid filename in 'file' and for you to put a style
this can be 'blog' for blogging like updating, or anything else for standard editing
also the plain text user password is sent in 'pass' and umm..that's it..NOTE no 'edit' value should
be sent from the calling script, it should only be used internally with this file!(everything should be in POST
**/
$password="<CENSORED>"; //the MD5 hashed password
if($_POST['edit']=="edit"){ //if we need to edit the file
file_put_contents($_POST['file'],stripslashes(html_entity_decode($_POST['new_text'],ENT_NOQUOTES))); //dunno why we stripslashes twice, but it works..
echo "File updated!"; //stay calm! lol
}
if($_POST['edit']=="blog"){ //If using blog like editing
$retr=chr(13).chr(10); //just a convientent way to say '\n\r'
$past_content=file_get_contents($_POST['file']); //store the current contents..
$fhandle=fopen($_POST['file'],"w+b");
fwrite($fhandle,":.:".'<font size=5><u>'.stripslashes($_POST['name']).'</u></font>'.":.:".$retr); //write the first line which has the submission name
fwrite($fhandle,stripslashes($_POST['text'])); //write the actual text after it
fwrite($fhandle,$retr.'<font size=1>'.'['.date("r").']'.'</font>'.$retr.$retr.'<hr>'.$retr); //now write a small timestamp
fwrite($fhandle,$past_content); //write it back
fclose($fhandle);
echo "Blog File Updated!";
}
?>
<html>
<head>
<title>Edit Pages</title>
</head>
<body>
<?php
if(md5($_POST['pass'])==$password){
?>
<form name="input" action="" method="POST">
<?php
if($_POST['style']!="blog"){
?>
<textarea rows=40 cols=80 name="new_text"><?php echo stripslashes(htmlentities(file_get_contents($_POST['file']),ENT_NOQUOTES)); ?></textarea>
<input type="hidden" name="file" value="<?echo $_POST['file'];?>"><br>
<input type="hidden" name="edit" value="edit"><br>
<input type="hidden" name="style" value="<?echo $_POST['style'];?>">
<input type="hidden" name="pass" value="<?echo $_POST['pass'];?>">
<input type="submit" name="submitbut" value="Edit File">
<?php
}else{ //if using blog way
?>
Name of submission: <input type="text" name="name"><br><br>
<textarea rows=20 cols=40 name="text"></textarea><br><br>
<input type="hidden" name="file" value="<?echo $_POST['file'];?>">
<input type="hidden" name="edit" value="blog">
<input type="hidden" name="style" value="<?echo $_POST['style'];?>">
<input type="hidden" name="pass" value="<?echo $_POST['pass'];?>">
<input type="submit" name="submitbut" value="Edit
<?}?>
</form>
<?php
}else{ //the password didn't match!
?>
You are not allowed to access this page, the password was incorrect...(don't try anything stupid you hackers)
<?}?>
Code: Select all
<form name="edit" action="update.php" method="POST">
<input type="password" name="pass"><br>
<input type="hidden" name="file" value="<?echo $content_filename?>">
<input type="hidden" name="style" value="<?echo $edit_style?>">
<input type="submit" value="Edit This Page"><br>
</form>
so is all of this stuff secure? like, unless someone decides to just attack with random passwords, it's pretty much hack-proof?
I really don't care that my password is sent unencrypted btw..I use a different password for it anyway..