Hey,
Can someone help me secure the kirupa guestbook. I think someone is hacking it on a site I’ve made:
php:
<?php
$file = fopen("guestbook.xml", "w+") or die("Can't open XML file");
$xmlString = $HTTP_RAW_POST_DATA;
if(!fwrite($file, $xmlString)){
print "Error writing to XML-file";
}
print $xmlString."
";
fclose($file);
?>
actionscript for the flash guestbook:
var currPage = 0;
var showAmount = 10; // set this to the amount of entries you want to view at a time
previous._visible = false;
createMessage._visible = false;
createButton.onRelease = function(){
this._visible = false;
this._parent.createMessage._visible = true;
if (createMessage.nameField.text == ""){
Selection.setFocus(createMessage.nameField);
}
else if (createMessage.messageField.text == ""){
Selection.setFocus(createMessage.messageField);
}
}
// **** Load XML ****************************
myXML = new XML();
myXML.ignoreWhite = true;
receiverXML = new XML();
myXML.onLoad = function(success){
myXML.contentType = "text/xml";
if (success){
this.showXML();
}
else{
trace("Error loading XML file");
}
}
myIdentifier=Math.round(Math.random()*10000);
myXML.load("guestbook.xml?uniq="+myIdentifier);
receiverXML.onLoad = function(){
this.contentType = "text/xml";
_root.currPage = 0;
this.showXML();
}
createMessage.closeButton.onRelease = function(){
this._parent._visible = false;
createButton._visible = true;
}
createMessage.sendButton.onRelease = function(){
var myName = this._parent.nameField.text;
var myMessage = this._parent.messageField.text;
if (myName == ""){
this._parent.errorField.text = "please fill out your name";
Selection.setFocus(this._parent.nameField);
}
else if (myMessage == ""){
this._parent.errorField.text = "please leave a message";
Selection.setFocus(this._parent.messageField);
}
else {
myXML.firstChild.appendChild(myXML.createElement("entry"));
myXML.firstChild.lastChild.attributes.myName = myName;
myXML.firstChild.lastChild.appendChild(myXML.createElement("myText"));
myXML.firstChild.lastChild.lastChild.appendChild(myXML.createTextNode(myMessage));
myXML.sendAndLoad("processXML.php", receiverXML);
this._parent._visible = false;
createButton._visible = true;
}
}
XML.prototype.showXML = function(){
myGuestbook.scroll = 1;
myGuestbook.htmlText = "";
var numItems = this.firstChild.childNodes.length;
var firstItem = numItems - (currPage*showAmount);
if (currPage == 0) previous._visible = false;
var lastItem = firstItem - showAmount ;
if (lastItem<=0) {
lastItem = 0;
next._visible = false;
}
myCount.text = "Total messages: " + numItems;
if (firstItem == lastItem+1) nowShowing.text = "Showing message " + firstItem;
else nowShowing.text = "Showing message " + firstItem + " to " + (lastItem + 1);
for (i=(firstItem-1); i>= lastItem; i--){
myGuestbook.htmlText += "<B>" + this.firstChild.childNodes*.attributes.myName + "</B> wrote:
";
myGuestbook.htmlText += this.firstChild.childNodes*.firstChild.firstChild.nodeValue + "
";
}
}
previous.onRelease = function(){
currPage--;
myXML.showXML();
next._visible = true;
}
next.onRelease = function(){
currPage++;
myXML.showXML();
previous._visible = true;
}
This has been operational on a site for over a year. Three weeks ago, suddenly I find the guestbook.xml file completely erased (xml tags and content). So I reupped the file:
<?xml version="1.0"?>
<guestbook>
<entry myName="web admin">
<myText>The guestbook is working. </myText>
</entry>
</guestbook>
only to find it erased again last night. Is there a straightforward way to make this more secure?
Thanks