Search code examples
php.htaccessgetxssfwrite

Is this php script safe? fwrite and get

The purpose of this script is to mail logs to to he webmaster whenever there is a 404/500 etc server error.

The script makes use of fwrite to count logs and then save 10 logs and mail them if it reaches 10 logs. It uses some of value's and display's them via echo, how can I be sure it does not have XSS or an other hackable issue. I know the script might not be as advanced, efficient or cleanly written, but it does me the trick. I'm just concerned about it's safety.

.htaccess file

ErrorDocument 400 /errors/error.php?err=400
ErrorDocument 401 /errors/error.php?err=401
ErrorDocument 403 /errors/error.php?err=403
ErrorDocument 404 /errors/error.php?err=404
ErrorDocument 500 /errors/error.php?err=500
ErrorDocument 410 /errors/error.php?err=410

php file /errors/error.php

<?php

$fp = fopen("counterlog.txt", "r"); 
$count = fread($fp, 1024); 
fclose($fp); 


$errorNum = (int)$_GET['err'];
$err_str = array(404=>'Type of error: Not Found (404)', 400=>'Type of error: Bad Request (400)', 401=>'Type of error: Unauthorized (401)', 403=>'Type of error: Forbidden (403)', 410=>'Type of error: Gone (410)', 500=>'Type of error: Internal Server Error (500)');

$ip = getenv ("REMOTE_ADDR"); 
$requri = getenv ("REQUEST_URI"); 
$servname = getenv ("SERVER_NAME"); 
$combine = $ip . " tried to load " . $servname . $requri; 

$httpref = getenv ("HTTP_REFERER");

if (empty($httpref)) { 
 $httpref = "Unknown Location";
}

$httpagent = getenv ("HTTP_USER_AGENT");

$today = date("F j, Y, H:i:s"); 

$note = "This information has been sent to the webmaster." ;

$message = "On $today \n <br> $combine <br> \n User Agent = $httpagent \n <br>User got there from: $httpref <br><br> $err_str[$errorNum] <br><br> $note\n ";
$message2 = "#$count \n $today \n $combine \n User Agent = $httpagent \n User got there     from: $httpref \n $err_str[$errorNum] \n\n ";

$fh = fopen("errorlogje.txt", "a") or die("can't open file");
$stringData = $message2;
fwrite($fh, $stringData);
fclose($fh);

if ($count == 10) {
$count = 0;
$fh = fopen("errorlogje.txt", "r");
$bericht = fread($fh, 4096);
$to = "mail@mail.nl"; // webmaster email
$subject = "errorpage guardian has a message"; // email bericht
$from = "From: mailguardian@mail.nl\r\n";  // email afzender (makelijk voor het sorteren)
mail($to, $subject, $bericht, $from);

$fh = fopen("errorlogje.txt", "w");
fclose($fh);
}
else {
$count = $count + 1;
}

$fp = fopen("counterlog.txt", "w"); 
fwrite($fp, $count); 
fclose($fp); 

echo " $message ";

?>
Solution

  • It's perfectly safe, yes. The only $_GET value that you're using is casted to integer, so that eliminates any possible issues with it.