Cracking The Vault (part 1) - Seeding The System
(Page 8 of 12 )
Since "add.php" is a form, the script is divided into two sections; the first section displays the form, while the second section processes the form data.
if(!$submit)
{
// form has not been submitted yet -> display form
?>
<table border="0" cellspacing="5" cellpadding="5">
<form action="<? echo $PHP_SELF; ?>" method="POST"
enctype="multipart/form-data">
<tr>
<td><b>Location</b></td>
<td colspan=3><input name="file" type="file"></td>
</tr>
<!-- snip! -->
<tr>
<td valign="top"><b><i>View</i> rights</b></td>
<td><select name="view[]" multiple>
<?
// query to get a list of available users
$query = "SELECT id, username FROM user ORDER BY username";
$result = mysql_db_query($database, $query, $connection) or die ("Error in
query: $query. " . mysql_error());
while(list($id, $username) = mysql_fetch_row($result))
{
$str = "<option value=\"$id\"";
// pre-select logged-in user's name
if ($id == $SESSION_UID) { $str .= " selected"; }
$str .= ">$username</option>";
echo $str;
}
?>
</select></td>
</tr>
<!-- snip! -->
</form>
</table>
<?
}
else
{
// form processing code
}
?>
A couple of points to be noted about this form. First,
since I plan to use this to upload files, I've specified the form encoding type to be "multipart/form-data" and added a form field of type "file". And a little further down, I've queried the database to generate a list of users so that rights can be assigned appropriately. Note how I'm checking each user's ID against the current $SESSION_UID in order to pre-select the current user's name.
Although I'm going to use the results of the SELECT query in two places - to generate a list for both "view" and "modify" rights - it isn't necessary to run the query twice. This is because the mysql_data_seek() function takes you back to the top of the current resultset, allowing you to reuse query results more than once.
<!-- code for "modify" rights user list -->
<td><select name="modify[]" multiple>
<?
mysql_data_seek($result, 0);
while(list($id, $username) = mysql_fetch_row($result))
{
$str = "<option value=\"$id\"";
if ($id == $SESSION_UID) { $str .= " selected"; }
$str .= ">$username</option>";
echo $str;
}
mysql_free_result ($result);
mysql_close($connection);
?>
</select></td>
Once the form is submitted, the same script is called;
however, since the $submit variable will now exist, the second half of the script springs into action.
<?
if (!$submit)
{
// form
}
else
{
// form has been submitted -> process data
// checks
// no file!
if ($file_size <= 0) { header("Location:error.php?ec=11"); exit; }
// no users with view rights!
if (sizeof($view) <= 0) { header("Location:error.php?ec=12"); exit; }
// no users with modify rights!
if (sizeof($modify) <= 0) { header("Location:error.php?ec=12"); exit; }
// check file type
foreach($allowedFileTypes as $this)
{
if ($file_type == $this)
{
$allowedFile = 1;
break;
}
}
// illegal file type!
if ($allowedFile != 1) { header("Location:error.php?ec=13"); exit; }
// all checks completed, proceed!
// all checks completed, proceed!
// INSERT into db
$query = "INSERT INTO data (category, owner, realname, created,
description, comment) VALUES('$category', '$SESSION_UID', '$file_name',
NOW(), '$description', '$comment')";
$result = mysql_db_query($database, $query, $connection) or die ("Error in
query: $query. " . mysql_error());
// get id from INSERT operation
$fileId = mysql_insert_id($connection);
// INSERT user permissions - view
for($x=0; $x<sizeof($view); $x++)
{
$query = "INSERT INTO perms (fid, uid, rights) VALUES('$fileId',
'$view[$x]', '1')";
$result = mysql_db_query($database, $query, $connection) or die ("Error in
query: $query. " . mysql_error());
}
// INSERT user permissions - modify
for($x=0; $x<sizeof($modify); $x++)
{
$query = "INSERT INTO perms (fid, uid, rights) VALUES('$fileId',
'$modify[$x]', '2')";
$result = mysql_db_query($database, $query, $connection) or die ("Error in
query: $query. " . mysql_error());
}
// use id to generate a file name
// save uploaded file with new name
$newFileName = $fileId . ".dat";
copy($file, $dataDir . $newFileName);
// back to main page
$message = "Document successfully added";
header("Location: out.php?message=$message");
mysql_close($connection); }
?>
The first thing to be done is to verify certain file
properties - for example, the file size must be greater than zero bytes, and the file must be of an allowed file type. In order to perform these checks, I'm using the four variables created by PHP whenever a file is uploaded - $file is the temporary file name assigned by PHP, $file_size is the size of the uploaded file, $file_type returns the MIME type, and $file_name is the original name of the file.
Assuming everything checks out OK, I then process the descriptive data entered by the user, INSERT it into the "data" table, process the list of users with "view" and modify" rights, INSERT this data into the "perms" table, rename the uploaded file and copy it to the storage area, and redirect the browser back to "out.php" with a status message indicating success.
There is an interesting chicken-and-egg situation here that you may be familiar with. I need to rename the newly-uploaded file to "fileID.dat"; however, I can only do this once the record has been inserted into the table and an ID generated for it. Once the ID is generated, I would normally need to query the table again to obtain the ID. However, the mysql_insert_id() function stores the ID generated by the last INSERT operation, and can conveniently be used here.
This article copyright Melonfire 2001. All rights reserved.Next: Red And Green Clouds >>
More PHP Articles
More By Vikram Vaswani, (c) Melonfire
