0

I'm trying to open a file on my desktop but for some reason it only works on my localhost and not when i have uploaded it on my server. Am i doing something wrong?

<?php
include "includes/connect.inc.php";
include "includes/core.inc.php";
include "includes/header.inc.php";
?>

<?php
if(isset($_GET["id"])){
echo '<div id="background">';
echo '<div id="loader">';
echo '<img src="image/loading.gif" />';
echo '</div>';

$id = $_GET["id"];

$query = "SELECT * FROM movie WHERE id = '$id'";
$query_run = $db->query($query);
$row = mysqli_fetch_assoc($query_run);

$querys = "SELECT * FROM drive";
$query_runs = $db->query($querys);
$rows = mysqli_fetch_assoc($query_runs);

$drive = $rows["drive"];    
$filep = nl2br($row["filepath"]);

$file = $drevet . $filep;


$sql = "INSERT INTO latest VALUES('', '$id')";
$sql_run = $db->query($sql);

$str = str_replace('/', '\\', $file);


$vlc = "C:\Program Files (x86)\VideoLan\VLC\vlc.exe";
pclose(popen("start \"$vlc\" \"$str\"", "r"));
}
echo '</div>';
?>
Hazelcraft
  • 113
  • 8
  • 2
    *facepalm* PHP is a server-side language. It can only access files on the system that it's on, and only if it has read access to those files. – aynber Nov 08 '17 at 16:56
  • [Little Bobby](http://bobby-tables.com/) says **[you may be at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/)**. Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) with [parameterized queries](https://stackoverflow.com/a/4712113/5827005). I recommend `PDO`, which I [wrote a class for](https://github.com/GrumpyCrouton/GrumpyPDO) to make it extremely easy, clean, and more secure than using non-parameterized queries. Also, [This article](https://phpdelusions.net/pdo/mysqli_comparison) may help you choose between `MySQLi` and `PDO` – GrumpyCrouton Nov 08 '17 at 17:05

0 Answers0