function function1()
{
//nereik php validation, nes adminas formos net nepasieks jei js isjungtas
$data = array(
'name' => $this->input->post('album_name')
);
$query = $this->db->insert('album_name',$data);
$id = $this->db->insert_id();
$success = mkdir('./uploads/gallery/'.$id); //albumo folderio vardas bus id
$success2 = mkdir('./uploads/gallery/'.$id.'/thumbs'); //mazi paveiksliukai
if(!$success || !$success2)
echo 'fail';
else
echo $id;
}
Lets say I have this function for administrator panel. With ajax it calls it, and as you can see creates record to a database and directories.
There is not much what can hacker do, except he can make a many folders and database records if he knows that function name and the urkl to that function.
I could make a chek if administrator is logged in, in that function. Then a hacker could not run this. But the question is - do I need to do that? Can a hacker know somehow how to call that function?
He know only site name like www.domain.com
So if the function is like there :
www.domain.com/folder1/folder2/controller/function1
is it possible for him to find it amd run?
Btw I am using codeigniter framework, but probably this does not change anything.