Need to replace everything #/W#

[BLiZZaRD]

I have the following code...

I need to add a string that will strip everything except alpha/numeric's so the input box submission will only post numbers and letters.

PHP Code:

<?php
$negateString = "";
$end = ".php";
$host  = $_SERVER['HTTP_HOST'];
$uri   = '/folder';
$extra = $_POST['guess'];
$filename = realpath( $_SERVER['DOCUMENT_ROOT'] ).'/foldeer/'.($_POST['guess']).$end;
if (isset($_POST['submit'])){
        if (file_exists($filename)) {
header("Location: http://$host$uri/$extra$end");
}
        else {}
    if (strtolower($_POST['guess']) != ""){
        $end = ".php";
        $myFile = realpath( $_SERVER['DOCUMENT_ROOT'] ).'/folder/'.($_POST['guess']).$end;
        $fh = fopen($myFile, 'w') or die("can't open file");
        $stringData = <!-- rest of html here -->

I know about this:

PHP Code:

$newstuff = preg_replace('#\W#', '', $string); 


Just not sure where and how to adapt it to the current code. Should be a quick fix.

Thanks guys.

[traq]

the $_POST['guess'] field?

PHP Code:

$extra = preg_replace( "#\W#",'',$_POST['guess'] ); 


BTW, this can give varying results depending on your server's locale. May be what you want, maybe not, maybe it'll never make a difference. Does your filesystem ever have file names with non-ASCII characters? If not, you may want to replace \W with something like [^-_ A-Za-z0-9] (and/or add the u modifier to the regex).

[BLiZZaRD]

I don't know... I just don't want special characters, periods or spaces in the guess input box.

Basically there is a page with this input box on it. The user submits an answer (or "guess") and clicks submit, the page checks another folder for the file, if it doesn't exist, it creates it and returns to this page, if it does exist the user is taken to that page.

So if you went there and typed in "dynamic" in the box, you would be greeted with a refresh of the page. If you entered "dynamic" in the box again, you would be taken to dynamic.php

However, as you can tell (and I didn't when I put it together) you can enter "../" or "index.php" and really mess things up...


Edit. I got it. Thanks! Replaced as you suggested then replaced both instances of $POST_guess with $extra. Good to go.

[traq]

okay...

is this the logic you want?

Code:

was form submitted?
    yes:
    is "guess" a file?
        yes:
        redirect to the file
        no:
        create the file*

*not sure I understand the point of this.  
will this be an empty file?
or are you adding contents somehow?
allowing a user to add contents (to a .php file) is very dangerous

PHP Code:

<?php
if( isset( $_POST['submit'] ) && !empty( $_POST['guess'] ) ){
    $root = $_SERVER['DOCUMENT_ROOT'];
    $host = $_SERVER['HTTP_HOST'];
    $path = '/folder';
    $ext = '.php';
    $guess = preg_replace( '#[^-_ A-Za-z0-9]#u','',$_POST['guess'] );
    if( file_exists( $root.$path.$guess.$ext ) ){
        header( "Location: http://$host.$path.$guess.$ext" );
        exit;
    }else{
        $handle = fopen( $root.$path.$guess.$ext,'w' );
        //  . . .
    }
}

in your original example, you're leaving case alone when looking for a file, and lowercasing everything when creating it. You should do one or the other. This makes a big difference on linux (i.e., most webservers), where everything is case-sensitive (as opposed to Windows, where case doesn't matter).

Edit:

glad you got it working.

[BLiZZaRD]

Yes, and no... the user isn't adding contents to the php file, the file is created, they are just giving it a file name. The page created isn't empty, it is populated with HTML, once they give it a name, it is created, if they then "guess" the same name again, they are shown the created file. The problem came in the original guess box, where they would try to "guess" (not knowing they are creating a file name) things like "../" and "index.php" etc. I have now fixed that though.

Thanks!