The Web Design Group

... Making the Web accessible to all.

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> fwrite wont make a new file if it contains a question mark?
allenph
post Mar 3 2012, 06:22 AM
Post #1


Novice
**

Group: Members
Posts: 21
Joined: 15-February 12
Member No.: 16,477



So there is no need to post code because I know for a fact it works. It is weird I can do an fwrite of my new .php page and it will create a new file for me with !./,\ whatever puncuation you wan't...other than question marks. Kind of strange! anyone know why this is happening?
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Brian Chandler
post Mar 3 2012, 07:07 AM
Post #2


Jocular coder
********

Group: Members
Posts: 2,222
Joined: 31-August 06
Member No.: 43



No idea. Try the php manual

http://jp2.php.net/manual/en/function.fwrite.php



--------------------
Brian Chandler
Nothing in this post constitutes "commercial solicitation". PayPal does not solicit residents of Japan. Contents may settle in transit. "Legal mind" may or may not be brain-damaged.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
allenph
post Mar 3 2012, 07:30 AM
Post #3


Novice
**

Group: Members
Posts: 21
Joined: 15-February 12
Member No.: 16,477



Ya doesn't say anything... code...

<?php
session_start();
?>
<?php
$new_thread_page_path = 'general_discussion_threads/' . $_POST['thread_title'] . '.php';
$new_table_link = '<a href="' . $new_thread_page_path . '"' . 'class="hover" border="0" style="text-decoration:none">' . $_POST['thread_title'] . '</a>';
?>
<?php
$place_holder = '<!--the_place_holder-->';
$current_page_path = 'general_discussion_home.php';
$open_current_page = fopen($current_page_path, 'rb');
$contents_of_current_page = fread($open_current_page, filesize($current_page_path));
$template_path = 'general_discussion_threads/template.php';
$open_template = fopen($template_path, 'rb');
$template_contents = fread($open_template, filesize($template_path));
$new_thread_page_path = 'general_discussion_threads/' . $_POST['thread_title'] . '.php';
$list_file_path = 'general_discussion_threads/thread_list.txt';
$list_open = fopen($list_file_path, 'rb');
$list_open_write = fopen($list_file_path, 'a');
$open_new_thread_page = fopen($new_thread_page_path, 'w+');
$list_contents = fread($list_open, filesize($list_file_path));
$thread_exists_test = substr_count($list_contents, '<' . strtolower($_POST['thread_title'] . '>'));
$invalid_character_test = substr_count($_POST['thread_title'], '<');
$invalid_character_test1 = substr_count($_POST['thread_title'], '>');
if (isset($_POST['new_thread_post'])) {
if (($_SESSION['logged_in'] == '1') && ($invalid_character_test1 == '0') && ($invalid_character_test == '0') && ($thread_exists_test == '0') && ($_POST['thread_title'] != '') && ($_POST['thread_title'] != 'Enter the title of your Thread...')) {
fwrite($open_new_thread_page, '<?php $the_thread_title = ' . '\'' . $_POST['thread_title'] . '\'' . '; ?>' . $template_contents);
fclose($open_new_thread_page);
fwrite($list_open_write, '<' . strtolower($_POST['thread_title']) . '>');
fclose($list_open_write);
$new_contents =str_replace($place_holder, '<tr><td>' . $new_table_link . '</td></tr>' . $place_holder, $contents_of_current_page);
$open_current_page = fopen($current_page_path, 'w');
fwrite($open_current_page, $new_contents);
fclose($open_current_page);
$_SESSION['gd_error'] = 'Thread created succesfully!';
} elseif ($_SESSION['logged_in'] != '1') {
$_SESSION['gd_error'] = 'You need to be logged in!';
} elseif ($invalid_character_test != '0') {
$_SESSION['gd_error'] = 'Thread title contains invalid characters!';
} elseif ($invalid_character_test1 != '0') {
$_SESSION['gd_error'] = 'Thread title contains invalid characters!';
} elseif ($thread_exists_test != '0') {
$_SESSION['gd_error'] = 'Thread title unavailable!';
} elseif ($_POST['thread_title'] == '') {
$_SESSION['gd_error'] = 'You must make a thread title!';
} elseif ($_POST['thread_title'] == 'Enter the title of your Thread...') {
$_SESSION['gd_error'] = 'You must make a thread title!';
}
}
?>
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Brian Chandler
post Mar 3 2012, 12:23 PM
Post #4


Jocular coder
********

Group: Members
Posts: 2,222
Joined: 31-August 06
Member No.: 43



Where is this question mark? What have you done about debugging the program?



--------------------
Brian Chandler
Nothing in this post constitutes "commercial solicitation". PayPal does not solicit residents of Japan. Contents may settle in transit. "Legal mind" may or may not be brain-damaged.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Ephraim F. Moya
post Mar 3 2012, 06:31 PM
Post #5


Advanced Member
****

Group: Members
Posts: 167
Joined: 2-September 07
From: New Mexico
Member No.: 3,702



QUOTE(allenph @ Mar 3 2012, 04:22 AM) *

So there is no need to post code because I know for a fact it works. It is weird I can do an fwrite of my new .php page and it will create a new file for me with !./,\ whatever puncuation you wan't...other than question marks. Kind of strange! anyone know why this is happening?


Unix allows almost any char in a file name. A couple have to be quoted. See http://www.cyberciti.biz/faq/linuxunix-rul...irectory-names/

Special characters (except _ and .) are considered VERY BAD FORM in a file or folder name.

Randomly making files with strange characters in the name is not a good way to test which work and don't work.



--------------------
Ephraim F. Moya
"Los pintos y los pendejos
Se conocen desde lejos."
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
allenph
post Mar 4 2012, 12:11 AM
Post #6


Novice
**

Group: Members
Posts: 21
Joined: 15-February 12
Member No.: 16,477



QUOTE(Brian Chandler @ Mar 3 2012, 12:23 PM) *

Where is this question mark? What have you done about debugging the program?

I have debugged. It works for everything but the questionmark. The filename it should be fwriting when echoed does come up with the filename with the questionmark but it just wont make the file.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Brian Chandler
post Mar 4 2012, 02:00 AM
Post #7


Jocular coder
********

Group: Members
Posts: 2,222
Joined: 31-August 06
Member No.: 43



QUOTE
I have debugged.


Good, but what I mean is "show your working".

Anyway, I still don't understand where this question mark is. Do you mean a filename including a question mark? It's much simpler to avoid such things -- look at the problems they cause: for example, any wikipedia page with a title ending with something in parenthis gets the final ) chopped off whenever the URL is quoted in Google groups.

QUOTE
The filename it should be fwriting when echoed does come up with the filename with the questionmark but it just wont make the file.


This really makes no sense. You open a file with fopen(). What does fopen() return? If it is a valid file handle, how does what not "make" the file?


--------------------
Brian Chandler
Nothing in this post constitutes "commercial solicitation". PayPal does not solicit residents of Japan. Contents may settle in transit. "Legal mind" may or may not be brain-damaged.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Brian Chandler
post Mar 4 2012, 02:07 AM
Post #8


Jocular coder
********

Group: Members
Posts: 2,222
Joined: 31-August 06
Member No.: 43



QUOTE(Ephraim F. Moya @ Mar 4 2012, 08:31 AM) *

Unix allows almost any char in a file name. A couple have to be quoted. See http://www.cyberciti.biz/faq/linuxunix-rul...irectory-names/


This doesn't quite make sense either. Quoting is something you may have to do in the shell, but if a character is allowed in a filename, then it's allowed, and is there; when you call fopen() the argument is a string which _is_ the filename. I believe that on Unix systems the only character you *cannot* have in a "filename" is /, which is always the directory separator.


QUOTE

Special characters (except _ and .) are considered VERY BAD FORM in a file or folder name.

Randomly making files with strange characters in the name is not a good way to test which work and don't work.


But this is all good sense. If you absolutely must encode arbitrary characters in a filename, why not use urlencode() on it?


--------------------
Brian Chandler
Nothing in this post constitutes "commercial solicitation". PayPal does not solicit residents of Japan. Contents may settle in transit. "Legal mind" may or may not be brain-damaged.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Ephraim F. Moya
post Mar 4 2012, 08:49 AM
Post #9


Advanced Member
****

Group: Members
Posts: 167
Joined: 2-September 07
From: New Mexico
Member No.: 3,702



The link I provided says that the only two characters you have to escape are ? and * because they are 'wild cards' and / because it's the root symbol.

The rules for file names are DIFFERENT than the rules for URLs.

I wonder what would happen if you included a 0x00 or a 0x0c or a 0x0a. You prolly wouldn't be able to open them in an editor.

This post has been edited by Ephraim F. Moya: Mar 4 2012, 08:57 AM


--------------------
Ephraim F. Moya
"Los pintos y los pendejos
Se conocen desde lejos."
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Mar 4 2012, 09:18 AM
Post #10


.
********

Group: WDG Moderators
Posts: 6,032
Joined: 10-August 06
Member No.: 7



QUOTE(Brian Chandler @ Mar 4 2012, 08:00 AM) *

QUOTE
The filename it should be fwriting when echoed does come up with the filename with the questionmark but it just wont make the file.


This really makes no sense. You open a file with fopen(). What does fopen() return? If it is a valid file handle, how does what not "make" the file?

To elaborate, IIRC fwrite() doesn't create files, it writes to an existing file. I recall you can create a file with fopen() though. I don't think you can rename a file with fwrite() either.

In addition files and directories may need correct CHMOD permissions to be writeable/createable.


--------------------
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Brian Chandler
post Mar 5 2012, 01:00 AM
Post #11


Jocular coder
********

Group: Members
Posts: 2,222
Joined: 31-August 06
Member No.: 43



QUOTE(Ephraim F. Moya @ Mar 4 2012, 10:49 PM) *

The link I provided says that the only two characters you have to escape are ? and * because they are 'wild cards' and / because it's the root symbol.

The rules for file names are DIFFERENT than the rules for URLs.

I wonder what would happen if you included a 0x00 or a 0x0c or a 0x0a. You prolly wouldn't be able to open them in an editor.


You mean the file abc0x00 for example? No problem at all; it's a file with the name abc0x00 -- and you open it in an editor by typing something like gedit abc0x00 (for example).

I haven't looked at your link, but anything about "escaping" refers to the shell, not the file system itself.


--------------------
Brian Chandler
Nothing in this post constitutes "commercial solicitation". PayPal does not solicit residents of Japan. Contents may settle in transit. "Legal mind" may or may not be brain-damaged.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Ephraim F. Moya
post Mar 6 2012, 01:53 PM
Post #12


Advanced Member
****

Group: Members
Posts: 167
Joined: 2-September 07
From: New Mexico
Member No.: 3,702



QUOTE(Brian Chandler @ Mar 4 2012, 11:00 PM) *

QUOTE(Ephraim F. Moya @ Mar 4 2012, 10:49 PM) *

The link I provided says that the only two characters you have to escape are ? and * because they are 'wild cards' and / because it's the root symbol.

The rules for file names are DIFFERENT than the rules for URLs.

I wonder what would happen if you included a 0x00 or a 0x0c or a 0x0a. You prolly wouldn't be able to open them in an editor.


You mean the file abc0x00 for example? No problem at all; it's a file with the name abc0x00 -- and you open it in an editor by typing something like gedit abc0x00 (for example).

I haven't looked at your link, but anything about "escaping" refers to the shell, not the file system itself.


I don't know how to write a hex '00' in this software. In php a string ends with an hex '00'. So if you have a string "this is a string" and you put a NULL after the word 'this' then the string is interpreted as "this" by fopen(). Similarly if you put an hex '0c' or hex 'oa' then the string will be interpreted 'this' because the carriage return (0c) or a line feed (0a) will be interpreted as the end-of-line symbol. Similarly, other non-printing characters, to me, are suspicious.

The *, the ? and the / should be escaped \*, \? or \/ in a file name in php or unix and, I assume, in linux.

Read the link!

This post has been edited by Ephraim F. Moya: Mar 6 2012, 01:56 PM


--------------------
Ephraim F. Moya
"Los pintos y los pendejos
Se conocen desde lejos."
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Brian Chandler
post Mar 6 2012, 02:42 PM
Post #13


Jocular coder
********

Group: Members
Posts: 2,222
Joined: 31-August 06
Member No.: 43



QUOTE(Ephraim F. Moya @ Mar 7 2012, 03:53 AM) *

QUOTE(Brian Chandler @ Mar 4 2012, 11:00 PM) *

QUOTE(Ephraim F. Moya @ Mar 4 2012, 10:49 PM) *

The rules for file names are DIFFERENT than the rules for URLs.




There may be some confusion, because I suggested you can use urlencode to obtain a valid filename from an (almost) arbitrary string. The problem is that the OP is using some arbitrary user input as a filename, and this is not a good idea. But if you must follow this idea, you should somehow encode the string -- you could use base64 or anything else, as long as you get a valid filename. Which obviously you have to decode in the other direction.

QUOTE

I haven't looked at your link, but anything about "escaping" refers to the shell, not the file system itself.


Sorry, I meant I haven't read it carefully. It's not well-written nor accurate.

QUOTE

I don't know how to write a hex '00' in this software.


What do you mean by "this software"??

QUOTE

In php a string ends with an hex '00'.


Do you have any evidence for this? Conventionally C uses null-terminated strings, but PHP is totally different. Exactly how it stores a string internally I don't know, but I don't believe there is any way that a PHP program can detect any such thing.

QUOTE

So if you have a string "this is a string" and you put a NULL after the word 'this' then the string is interpreted as "this" by fopen().


How would you "put a NULL after the word 'this'? Have you tested any of these assertions? (You could use urlencode (?) to build an arbitrary hex string...)

QUOTE

Similarly if you put an hex '0c' or hex 'oa' then the string will be interpreted 'this' because the carriage return (0c) or a line feed (0a) will be interpreted as the end-of-line symbol. Similarly, other non-printing characters, to me, are suspicious.


Powerful evidence that this is false comes from the fact that you can happily include newlines in string values. If you call fopen() with a filename including invalid characters, well it will fail, but this is a property of fopen() not anything about "end-of-line" symbols.

QUOTE

The *, the ? and the / should be escaped \*, \? or \/ in a file name in php or unix and, I assume, in linux.


As I said, the link seems almost as confused as you are between escaping characters in the shell and passing strings which are filenames to fopen(). *Of course* it makes life simpler not to have odd characters in filenames, but if they are allowed, they are allowed. If * is valid in a filename, then fopen('five*six') will open a file whose name is the string 'five*six'.



--------------------
Brian Chandler
Nothing in this post constitutes "commercial solicitation". PayPal does not solicit residents of Japan. Contents may settle in transit. "Legal mind" may or may not be brain-damaged.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Ephraim F. Moya
post Mar 6 2012, 02:50 PM
Post #14


Advanced Member
****

Group: Members
Posts: 167
Joined: 2-September 07
From: New Mexico
Member No.: 3,702



It seems to me that you're confusing strings and file names. And their representation in php.

They use COMPLETELY different handlers. Confusing the whole thing is php's 'pre-handling' filename character sequences and string character sequences of characters.

This post has been edited by Ephraim F. Moya: Mar 6 2012, 02:52 PM


--------------------
Ephraim F. Moya
"Los pintos y los pendejos
Se conocen desde lejos."
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Brian Chandler
post Mar 6 2012, 03:26 PM
Post #15


Jocular coder
********

Group: Members
Posts: 2,222
Joined: 31-August 06
Member No.: 43



QUOTE
Confusing the whole thing is php's 'pre-handling' filename character sequences and string character sequences of characters.


Can you give a manual reference that explains this? If not, perhaps a demonstration?


--------------------
Brian Chandler
Nothing in this post constitutes "commercial solicitation". PayPal does not solicit residents of Japan. Contents may settle in transit. "Legal mind" may or may not be brain-damaged.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Ephraim F. Moya
post Mar 6 2012, 08:05 PM
Post #16


Advanced Member
****

Group: Members
Posts: 167
Joined: 2-September 07
From: New Mexico
Member No.: 3,702



QUOTE(Brian Chandler @ Mar 6 2012, 01:26 PM) *

QUOTE
Confusing the whole thing is php's 'pre-handling' filename character sequences and string character sequences of characters.


Can you give a manual reference that explains this? If not, perhaps a demonstration?


According to http://en.wikipedia.org/wiki/Filename there are two characters that are banned in a filename. The / and a NULL (hex 00) character.

There are a whole lot of characters that are (if the shell is used) required to be escaped. These include ?, *, (, | ... etc.

I believe?? that php uses shell access to the unix system.

If you can GUARANTEE that url_encode() or some such doesn't use a / or a hex(00) (or if php, the other characters that are required to be double quoted) even then you wouldn't be able to make a filename that uses a NULL (hex 00) character.

I suppose you're right that if some way of encoding a filename were used then you could make the filename you end up with transparent. The OP, however, wanted to include some character in the filename that would make the file or folder invisible to 'normal' access.

ps. You shouldn't get up so early, it makes you testy!


--------------------
Ephraim F. Moya
"Los pintos y los pendejos
Se conocen desde lejos."
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Brian Chandler
post Mar 7 2012, 10:53 AM
Post #17


Jocular coder
********

Group: Members
Posts: 2,222
Joined: 31-August 06
Member No.: 43



QUOTE(Ephraim F. Moya @ Mar 7 2012, 10:05 AM) *

QUOTE(Brian Chandler @ Mar 6 2012, 01:26 PM) *

QUOTE
Confusing the whole thing is php's 'pre-handling' filename character sequences and string character sequences of characters.


Can you give a manual reference that explains this? If not, perhaps a demonstration?


According to http://en.wikipedia.org/wiki/Filename there are two characters that are banned in a filename. The / and a NULL (hex 00) character.

There are a whole lot of characters that are (if the shell is used) required to be escaped. These include ?, *, (, | ... etc.

I believe?? that php uses shell access to the unix system.


Not likely I think. The whole point of a php function fopen() is that it's a wrapper for the standard C library function fopen. So the C code to implement the body of the php open looks something like:

CODE

// code for php fopen(arg1, arg2)
return fopen(arg1, arg2);


If you tried to build a shell call (whatever for?!) the first thing you would notice is that the shell doesn't provide a way to "open" a file, does it?


QUOTE

If you can GUARANTEE that url_encode() or some such doesn't use a / or a hex(00) (or if php, the other characters that are required to be double quoted) even then you wouldn't be able to make a filename that uses a NULL (hex 00) character.


Well, url_encode makes a string that can appear in an URL, which rather obviously excludes / and 0x00. So you can't make a filename that includes a /, since that's against the rules, but you can make filenames which *represent* any byte sequence at all.

QUOTE

I suppose you're right that if some way of encoding a filename were used then you could make the filename you end up with transparent. The OP, however, wanted to include some character in the filename that would make the file or folder invisible to 'normal' access.


I didn't exactly see this bit in the original question, but it isn't useful to have a file system which doesn't allow access to all files in a uniform way, so I don't see the point anyway.

QUOTE

ps. You shouldn't get up so early, it makes you testy!


I was struggling through the night actually...


--------------------
Brian Chandler
Nothing in this post constitutes "commercial solicitation". PayPal does not solicit residents of Japan. Contents may settle in transit. "Legal mind" may or may not be brain-damaged.
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



- Lo-Fi Version Time is now: 14th September 2014 - 09:01 PM