Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Dec 2013
    Location
    USA
    Posts
    16
    Thanks
    13
    Thanked 0 Times in 0 Posts

    Exclamation Use login cookies to determine file names.

    I have a button on a website that runs a php script. In the script is a code that finds a specific file (the one named after your login name) and replaces a specific line of code in that file. The thing im trying to figure out is how I can use your login name from your cookies as a variable for the file name its trying to find.

    PHP Code:
    $data file('./users/$name.txt'); // reads an array of lines
    function replace_a_line($data) {
       if (
    stristr($data'lostmode=off')) {
         return 
    "lostmode=on\n";
       }
       return 
    $data;
    }
    $data array_map('replace_a_line',$data);
    file_put_contents('./users/$name.txt'implode(''$data));
    /* Redirect browser */
    header("Location: http://www.lostmode.bugs3.com/controls.php");
    /* Make sure that code below does not get executed when we redirect. */
    exit; 

  • #2
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,092
    Thanks
    2
    Thanked 322 Times in 314 Posts
    Storing a username in a cookie and using that value to control access is not secure. Anyone can set a cookie to any value they want.

    Further, using that value from a cookie to determine which file to access, without fully validating the value to insure it doesn't contain any arbitrary path/filename will at best allow someone to corrupt any file on your site and at worst will allow someone to write php code to a file and then run that code to take over your site.

    For login purposes, use session variables and store the username in a session variable. Session variables are safe from the manipulations I have mentioned, because it is only your code that can set the session variables, so using the value from the session variable to reference a file is out of the hands of the visitor. edit: provided you are validating usernames when someone registers to insure they don't have the format of "some_path/some_filename".
    Last edited by CFMaBiSmAd; 12-09-2013 at 04:44 AM.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #3
    New Coder
    Join Date
    Dec 2013
    Location
    USA
    Posts
    16
    Thanks
    13
    Thanked 0 Times in 0 Posts
    Thank for replying! How would I use section variables because the username is stored in both?


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •