Write FORM data to text file?

[Gene]

I'd like to create a form with 3 fields, which will
take the contents of each of the 3 fields and store
them in a text file.

==============================================
Form
==============================================

Enter Website URL Here: [_________________]
Enter Account ID# Here: [_________________]
Enter Email Address Here: [_________________]

[ SUBMIT ]

==============================================



When the user submits that form, the information
gets written to a text file containing only this:

==============================================
Text file named info.inc
==============================================

<?php
$weburl = "WebSiteName.com";
$accountid = "12345";
$email = "[email protected]";
?>

==============================================


Any time the user goes back to the form above
and changes the data in any of the 3 fields,
the text file will be overwritten accordingly.

Note: The text file will have the CHMOD
permission set to 644 so nobody else can
write to it.

Note: The form will be in a password protected
folder.

No help needed to create the form and
password protected folder. I just need to
know how to get the form SUBMIT to overwrite
the text file to contain the new form data.

Thanks!

Gene

 

[Eric]

Just curious, why not use a MySQL database? Would be easier to work with and IMHO more secure

 

[nasaboy007]

is it only supposed to hold those 3 pieces of info at one time? (as in different text files for different users).


if so, this should work. (untested, written on-the-fly):

<?php
$weburl = $_POST['weburl'];
$accountid = $_POST['accountid'];
$email = $_POST['email'];

//This should be the path to the text file, relative to the PHP file this is saved as.
$file = "info.inc";

$fh = fopen($file, 'w');

$string = "<?php \n \$weburl = \"" . $weburl . "\";\n\$accountid = \"" . $accountid . "\";\n\$email = \"" . $email . "\";\n ?>";

fwrite($fh, $string);

fclose($fh);

?>

That should be the action of the form, the inputs should be named "weburl", "accountid", and "email". This is the example text file populated:

<?php
$weburl = "WebSiteName.com";
$accountid = "12345";
$email = "[email protected]";
?>

Do you need to be worrying about sanitizing your data (incase it will be used for other scripts), because that is VERY open to injections?

 

[Gene]

Just curious, why not use a MySQL database? Would be easier to work with and IMHO more secure

Mainly because this is for a project where I provide turn-key websites, and this set of files would be bundled along with it so each user can customize their own site with these bits of information. I don't want to make each user have to create a database.

---------- Post added at 07:45 AM ---------- Previous post was at 07:43 AM ----------

is it only supposed to hold those 3 pieces of info at one time? (as in different text files for different users).


if so, this should work. (untested, written on-the-fly):

<?php
$weburl = $_POST['weburl'];
$accountid = $_POST['accountid'];
$email = $_POST['email'];

//This should be the path to the text file, relative to the PHP file this is saved as.
$file = "info.inc";

$fh = fopen($file, 'w');

$string = "<?php \n \$weburl = \"" . $weburl . "\";\n\$accountid = \"" . $accountid . "\";\n\$email = \"" . $email . "\";\n ?>";

fwrite($fh, $string);

fclose($fh);

?>

That should be the action of the form, the inputs should be named "weburl", "accountid", and "email". This is the example text file populated:




Do you need to be worrying about sanitizing your data (incase it will be used for other scripts), because that is VERY open to injections?

Thank you for that! I'll work with it and see if it works. Can you please explain what you mean by "sanitizing" the data, and what do you mean by it being "VERY open to injections"? Thanks!

 

[Eric]

Mainly because this is for a project where I provide turn-key websites, and this set of files would be bundled along with it so each user can customize their own site with these bits of information. I don't want to make each user have to create a database.

Ahh, I see

---------- Post added at 07:45 AM ---------- Previous post was at 07:43 AM ----------



Thank you for that! I'll work with it and see if it works. Can you please explain what you mean by "sanitizing" the data, and what do you mean by it being "VERY open to injections"? Thanks!

Well, taking info. from a user and putting it directly into PHP code like that can be dangerous. There's several ways it can be manipulated. Also you have to be careful about quotes in what they enter - adding " in the input could cause the PHP code to error out when it runs. If you're using PHP 5:

(for the $accountid, I'm assuming this is a number?)

<?php

$weburl = trim($_POST['weburl']);
$accountid = trim($_POST['accountid']);
$email = trim($_POST['email']);

if (!filter_var($weburl, FILTER_VALIDATE_URL))
{
	echo 'Please enter a valid URL';
	exit;
}

if (!filter_var($accountid, FILTER_VALIDATE_INT))
{
	echo 'Please enter a valid account id';
	exit;
}

if (!filter_var($email, FILTER_VALIDATE_EMAIL))
{
	echo 'Please enter a valid email address';
	exit;
}

//This should be the path to the text file, relative to the PHP file this is saved as.
$file = "info.inc";

// PHP 5 has file_put_contents
$string = "<?php\n\n\$weburl = \"" . $weburl . "\";\n\$accountid = " . $accountid . ";\n\$email = \"" . $email . "\";\n\n?>";
file_put_contents($file, $string);

/**
$fh = fopen($file, 'w');
fwrite($fh, $string);
fclose($fh);
*/

?>

 

[nasaboy007]

sanitizing your input means that, for example, if the user were to put something like

"; echo $password;

(very crude) into one of the text fields, your text file could look like this:

<?php
$weburl = "";
echo $password;
$accountid = "12345";
$email = "[email protected]";
?>

And so when you put this into another script (for the variables), PHP will think that you actually wanted to display the variable "$password", and so it will show it.

 

[Gene]

I see. Thank you both for your valuable input. Do you have any suggestions on how to accomplish this in a better, more secure way (without using MySQL)?

 

[nasaboy007]

honestly, (if the way i understand it is correct), it may not matter that much. if you are selling a website to a client, then sending that client to a portal page where they will input the information that they want (login/info/accountid), i assume that your clients can be trusted (to the point where COMPLETE sanitization shouldn't be necessary) and that will never be edited/populated again (once it is initially set).

i suggest just making sure that magic quotes are enabled in PHP (put <?php phpinfo(); ?> in a php file and go to it on your server, it'll show the config of your server. look for the enable_magic_quotes (or something w/ magic quotes in it) and make sure it's enabled).

 

[Gene]

honestly, (if the way i understand it is correct), it may not matter that much. if you are selling a website to a client, then sending that client to a portal page where they will input the information that they want (login/info/accountid), i assume that your clients can be trusted (to the point where COMPLETE sanitization shouldn't be necessary) and that will never be edited/populated again (once it is initially set).

i suggest just making sure that magic quotes are enabled in PHP (put <?php phpinfo(); ?> in a php file and go to it on your server, it'll show the config of your server. look for the enable_magic_quotes (or something w/ magic quotes in it) and make sure it's enabled).

Thanks for that information. The clients upload all the files to their own hosting account, and they are the only one(s) using the form (which is password protected) to set up the site or to modify it in the future. So, the magic quotes thing may or may not exist on their hosting account.

 

[nasaboy007]

The way Eric edited it makes it more secure (since you're validating the input). You shouldn't need to worry about sanitizing the data as much, now.

Also, thanks for showing me filter_var, Eric. I had no idea that existed and I've always HATED having to use regexp to validate things. Rep+

 

[Eric]

The way Eric edited it makes it more secure (since you're validating the input). You shouldn't need to worry about sanitizing the data as much, now.

Also, thanks for showing me filter_var, Eric. I had no idea that existed and I've always HATED having to use regexp to validate things. Rep+

Thanks for the rep. and no problem PHP 5 has some awesome features

 

[Gene]

Thanks again to both of you. I guess I've repped you both too much in the past so can't do it again yet, but I sincerely appreciate your help.