On 21/10/2021 21:52, ourdiaspora wrote:
On Friday, September 24th, 2021 at 9:54 PM, ourdiaspora <ourdiaspora@xxxxxxxxxxxxxx> wrote:
Just realised that the function 'sys_get_temp_dir' returns:
"
/tmp/...[random string]
"
and not the temporary directory specified in the phpinfo() file.
Readers,
Pleased to announce _very_ simple successful ability to upload csv file, _without any security validation_. Posted here just in case someone benefits.
"
...
$uploaddir = '/tmp/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
$dbconnect = pg_connect("dbname=... user=...");
$targetfilepath = $uploaddir . $uploadfile;
$filename=$_FILES["userfile"]["tmp_name"];
$file = fopen($filename, "r");
$getdata = fgetcsv($file, 10000, ",");
$dbdataentry = "INSERT INTO tablename(name, id, emailaddress) VALUES ('".$getdata[0]."','".$getdata[1]."','".$getdata[2]."')";
$result = pg_query($dbconnect, $dbdataentry);
pg_freeresult($result);
pg_close($dbconnect);
...
"
I would recommend securing this code as, from first glance, I can see an
SQL injection vulnerability because of unescaped/un-parameterised query
values. You also have a few variables that aren't used: `$uploaddir`,
`$uploadfile`, and `$targetfilepath`. These can go, as they don't do
anything.
The code also looks like it will only insert a single row of data from
the uploaded CSV. Without any kind of loop, it won't ever read from
successive lines if there are any. The manual for this function has a
good example of reading a CDV file line by line until the end:
https://www.php.net/manual/en/function.fgetcsv
--
Ashley Sheridan
https://www.ashleysheridan.co.uk
