So, my script allows people to write content into a .txt file and save it on the server. They can currently write anything they want to. This is the method I'm using to save the file.
<?php
$victim = $_POST['victim'];
$user = $_POST['user'];
$comment = $_POST['comment'];
$IP = $_POST['IP'];
$data = "$victim | $user | $comment | $IP\n";
//open the file and choose the mode
$fh = fopen($victim.".txt", "a");
fwrite($fh, $data); //close the file fclose($fh);
print "User Submitted";
echo "URL is mysite.com/".$victim.".txt"
?>
My question is - is there anything they could write that would damage the way my server works?
Sure. I can send this string as your victim POST argument:
/var/www/your_website/index.php\0
And you'll modify index.php. The \0 makes PHP ignore the .txt extension. In user, I could send some PHP code and append it into your index page, which is pretty bad.