PHP Emaling from HTML WebSite

mdaniel84 · October 22, 2013, 5:20pm

Hello there and thanks for looking I seem to be having some issues with the following code, I’m getting a error message when I hit submit from my HTML site I was wondering if anyone can help me figure out what this issue is.

I think it deals with the PHP code itself and not my HTML site, also the email get’s sent out with no issues everything looks good I just receive this error message on the HTML site when it’s finished.

ERROR MESSAGE - array(2) { [0]=> string(11) "mdanie000 " [1]=> bool(false) } can’t open file

<?php $headers = "MIME-Version: 1.0" . "\r\n"; $headers = "Content-type: text/html; charset=iso-8859-1" . "\r\n"; $headers = "From: [email protected]" . "\r\n"; $errormessage = "0" ; $file = fopen("//IPADDRESS/mcc_landing$/veriflauncher/Central/Detroit_Checklist/tempdata.txt", "r"); $data = array(); while (!feof($file)) { $data[] = fgets($file); } fclose($file); $Name = ($data[0]); var_dump($data); $mailto = "[email protected]" ; $Date = ($_POST[Date]); $CMCS = ($_POST[CMCS]); $CMCF = ($_POST[CMCF]); mail($mailto, "'Detroit Verification Checklist.'" , " 'Emp Name: ' $Name 'Ver Date: ' $Date\n \n **HUB Count Section** \n CMC Schedules: ' $CMCS\n CMC Verifications: ' $CMCF\n"); $mydir = "Detroit_Checklist/"; $myFile = "$mydir" . "$Date.txt"; $fh = fopen($myFile, 'w') or die("can't open file"); $strdata = "Detroit Verification Checklist\n"; fwrite($fh, "$strdata"); $strdata = "$Name"; fwrite($fh, "Emp Name: $strdata"); $strdata = "$Date" . "\n"; fwrite($fh, "Ver Date: $strdata"); $strdata = "$CMCS" . "\n"; fwrite($fh, "CMC Schedules: $strdata"); $strdata = "$CMCF" . "\n"; fwrite($fh, "CMC Verifications: $strdata"); fclose($fh); header( "refresh:0;url=http://IPADRESS/mcc_landing/home.html" ); ?>

Thank you!!!

JimL · October 22, 2013, 9:43pm

Check the file name / path you are trying to open, is there a file there? Does the web server have access to it?

A few things about your code

Is the dollar sign intended?

You don’t need to wrap variables in parenthesis. $Name = $data[0] is enough

Also you should use a naming convention for variables/methods. You have a mix of first cap / small / etc.

Same here regarding the ()… Also you are saying Date, CMCS and CMCF are constants, this will add execution time and throw a notice/warning as PHP (probably) can’t find those constants and fall back to what you probably mean. $_POST[‘Date’] etc…

This looks scary, you take user input and directly use it to open a file. Are you sure this isn’t vulnerable to Local File Inclusion? If so you may be leaving your server highly vulnerable. Also you should do something about the myFile (yay! camelCase!) variable. I would suggest something like this, easier to see what variables are used, both for devs and PHP.

[php]$myFile = $mydir . $Date . ‘.txt’;[/php]

Note that you do not have to use quotes around variables in an echo.

and lastly, do not exit php execution (?>) at the end of files (if not followed by html). it is not necessary and only add a potential place for errors