What's the best way to protect against dynamic file access using URL variables? I'm concatenating two URL variables that will form the filename I want to access which will load XML.
$type = $_REQUEST['type']
//(ie. AB);
$timeframe = $_REQUEST['timeframe']
//(ie. 00.04);
//create XML document object model (DOM)
$main_doc = new DOMDocument();
$s = SITE_DIR."/data/file.".$type.".".$timeframe.".xml";
// example file.AB.00.04.xml)
// will be adding test to see if file exists
$main_doc->load($s);
You should check that the request string does not contain ".." and also doesn't contain "/" (or "\" if you're on windows) so that the path does not point to a directory other than one you are referencing.
Perhaps try this:
$timeframe = str_replace(array('..','/','\'),array('','',''),$timeframe);
Related
I have the following code:
include('../scrape/simple_html_dom.php');
$file = "http://www.espn.com/golf/leaderboard?tournamentId=2233";
$html = new simple_html_dom();
$html->load_file($file);
foreach($html->find('table[class="leaderboard-table round-4"]') as $div){
$Rd1 = $div->find('td[class="round2 in post"]');
}
I'm attempting to parse the data from that url and then insert by 'class=full-name" the Round1, Round2, Round3 and Round4 scores.
Hower, I keep getting an error that this is an array to string conversion. Can anyone offer guidance? I can't even isolate the data to insert it into a DB.
It depends what your simple_html_dom() class does but just offhand, it's likely you have to first get the contents of the file and load that string since you don't have direct ownership of the file:
include('../scrape/simple_html_dom.php');
$file = "http://www.espn.com/golf/leaderboard?tournamentId=2233";
$html = new simple_html_dom();
# FETCH THE CONTENTS FIRST
$html = file_get_contents($file);
# THIS MAY BE LOADING A FILE, SO INSTEAD LOAD STRING
# PERHAPS THERE IS A load_string() METHOD?
$html->load_file($html);
/**Continue code...**/
If you need to load from a file, get the contents and temporarily store to a file using file_put_contents($html,'temp.txt'), then use the load_file() method...but it all depends what this class does.
How to find file by name without specific extension in laravel Storage?
like this "filename.*"
Storage::get("filename.*")
I tried this but seems not to work. It searches for specific file with specific extension.
Storage::get() takes a file path as a parameter and returns the content of a single file identified by this path or throws FileNotFoundException if file can't be found.
Wildcards are not supported in the path - one reason for that could be that there might be multiple files that match the path with wildcards which would break the rule that content of a single file is returned from Storage::get(). Scanning the whole folder would also be much slower, especially with remote storages.
However, you could get what you want using other functionality that Storage facade offers. First, list the content of your storage - that will give you the list of all available files. Then filter the list yourself to get the list of matching files.
// list all filenames in given path
$allFiles = Storage::files('');
// filter the ones that match the filename.*
$matchingFiles = preg_grep('/^filename\./', $allFiles);
// iterate through files and echo their content
foreach ($matchingFiles as $path) {
echo Storage::get($path);
}
Accepted solution works. However I've found this other and I like it more:
$matchingFiles = \Illuminate\Support\Facades\File::glob("{$path}/*.log");
See reference here:
http://laravel-recipes.com/recipes/143/finding-files-matching-a-pattern
Minor change to jedrzej.kurylo's answer and combining wogsland's answer using laravel 8:
'/^filename\./' or '/filename\./' pattern does not work in my case.
// From:
$matchingFiles = preg_grep('/^filename./', $allFiles);
// To:
$allFiles = Storage::disk('yourStorageDisk')->files('folder/path');
$allowedMimeTypes = ['image/jpeg', 'image/png', 'image/webp'];
$matchingFiles = preg_grep('{'.$image.'}', $allFiles);
foreach ($matchingFiles as $path) {
// get real mime type
$contentType = image_type_to_mime_type(exif_imagetype(asset($path)));
// compare it with our allowed mime types
if (in_array($contentType, $allowedMimeTypes)) {
// do something here...
}
}
This way we can fetch files or images safely.
Dont trust what you see. Get inside and get the ext for your file
$pic = 'url/your.file';
$ext = image_type_to_mime_type(exif_imagetype($pic));
$ext = explode('/',$ext);
echo $ext[1];
I am using COM in Php and i want to get the file name of the ms word file which is currently open/Active. When i use the below code it is only giving me the output "Microsoft Word" but i need the filename too.
$word = new variant(com_get_active_object("word.application"));
echo "$word";
You will need to interact with the application object.
Here is the reference
There it says, for instance, that it has a property to get the ActiveDocument.
And the active document has a property called FullName, which is a string containing the full path of the file.
I donĀ“t know the PHP syntax, but should be something like
$document = word.ActiveDocument
$filename = document.FullName
I have my DOMDocument saved as $xml.
I have the node loaded, I also have a custom field i've made which is called 'field_xml_file'.
But I can't quite seem to get how to save the file and insert it into the node.
I currently have this:
$fileName = 'file.xml';
$file = file_save_data($xml, 'public://', $fileName);
$newRevision->field_xml_file[LANGUAGE_NONE][] = (array)$file;
node_save($node);
Any help?
$fileName is not supposed to be third parameter. Change that line to:
$file = file_save_data($xml, 'public://'.$fileName);
second parameter is full file name, using drupal stream wrappers.
also, if this is literally code you are using, you need to change $newRevision to $node in order to save changes
I want to be able to open the provided URL (which is done via a form) that is an URL that will allow the server to save the file into a directory, for example:
http://www.google.co.uk/intl/en_com/images/srpr/logo1w.png
I want to save that logo into this directory:
img/logos/
Then it will add it to the database by giving it a random file name before so, e.g.
827489734.png
It will now be inserted to the database with the following:
img/logos/827489734.png
I do not want to use cURL for this, I like to work with fopen, file_get_contents, etc...
Cheers.
EDIT
$logo = safeInput($_POST['logo']);
if(filter_var($avatar, FILTER_VALIDATE_URL))
{
$get_logo = file_get_contents($logo);
$logo_directory = 'img/logos/';
$save_logo = file_put_contents($logo_directory, $logo);
if($save_logo)
{
$logo_path = $logo_directory . $save_logo;
A part of this code I need helping...
You need to specify a full file name when doing a file_put_contents(). A pure directory name won't cut it.