Oops! I figured it out. Had to strip slashes...
Hello, I have the following code to edit my configuration file in the browser. The file content is retrieved and displayed in a text box. Then the edits are saved back into the file. Everything works fine on my development machine but in my hosting account it does not work.
When I save the file, all single quotes are over written adding a backslash in front of them.
How can I change my code to prevent this? Thank you!
<?php
// button javascript
$save_changes_js = "return confirm('Do you want to SAVE the CHANGE(S)?');";
// open web config
$filename = ROOT_PATH.'web.config.php';
$contents = file_get_contents($filename);
if(isset($_POST['txbConfig']) && !empty($_POST['txbConfig']))
{
// save changes to file
$changes = $_POST['txbConfig'];
file_put_contents($filename,$changes);
// refresh page
$destination_url = SITE_URL.'admin/edit-config.php';
header('Location:'.$destination_url);
}
?>
<form action="" method="post" name="editConfig" class="htmlForm">
<div class="editConfigWrap">
<textarea name="txbConfig"><?php echo $contents ?></textarea>
</div>
<input name="submit" type="submit" value="Save Changes" class="gvbtn" onclick="<?php echo $save_changes_js; ?>">
</form>
This happens because your ISP still has Magic Quotes turned on. Ideally, get them to turn it off or find a way to configure it for your account.
If this can't be done, you need to use stripslashes or equivalent. See this other SO question: How to turn off magic quotes on shared hosting?
You've got 'magic quotes' turned on. They are anything but magic.
You can detect this setting and undo the magic by checking for it with get_magic_quotes_gpc or get_magic_quotes_runtime, e.g.
$value=get_magic_quotes_gpc()?stripslashes($_REQUEST['value']):_REQUEST['value'];
Related
I have a form on my website. I wanted to save to input to txt but when I submit data, the .txt file get larger (bytes increase) but no text shows up,
Here is the code
<div>
<form action="controller.php">
<input name="card" id="card" type="email">
<button type="submit" name="submit" >Submit</button>
</form>
</div>
Here is the .php code
<?php
$card = $_POST['card'];
$file = fopen ('file.txt', "a");
fwrite($file, $card . "\n");
fclose($file);
die(header("Location: ".$_SERVER["HTTP_REFERER"]));
?>
I have a sub domain with the same code and it works perfectly fine.
why is it not working and how do I fix?
I tried to change the id and the type
You have a very simple issue here. Let's see why by trying to do this on your file:
print_r($_POST);
You will see that after posting your form, you have no POST data. Your form is, by default (on your server or PHP configuration) sending the data not using the POST method, but the GET one (your other server probably is setup the opposite way).
To fix this, you can either change your $card variable to:
$card = $_GET['card'];
Or rather, and that would be a better option to make it more clear and avoid problems if you migrate your website on another server/PHP version, you could simply specify the method on your tag:
<form action="controller.php" method="post">
Please, don't forget to secure the data that will be written in this file, malicious users exist and if you keep your code that simple, it might be a serious security issue.
I have created a php editor using file function, where users can run code online and get result on the same page.
executephp5.php
<form action="<?php echo $_SERVER['PHP_SELF'];?>"method="post">
<b>Write your code here</b>
<textarea name="code"></textarea>
<input type="submit"value="Run code">
</form>
<?php
$cd=stripslashes($_POST['code']);
#dont write empty textarea
if(empty($cd)) {
echo "";
} else {
$file=fopen("demo.php","w");
echo fwrite($file, $cd);
fclose($file);
}
?>
<b>Results:</b>
<hr>
<?php
error_reporting(E_ALL);
include "demo.php";
?>
demo.php is the target file it is updated by the form.
This all works as expected. My problem is that I want to disable all file, directory, mail() and ftp functions for this editor so that users can not crash the site.
Is there any way to disable those functions only for my editor?
You can pass in disable_functions, i.e "Comma separated list of functions to disable within the sandbox sub-interpreter."
Check Runkit_Sandbox. You should make editor available as sandbox.
So here's my HTML form
<form method="POST" action="/process_forgot">
<input type="text" name="name" value="test">
<input type="submit">
</form>
And /process_forgot
if(isset($_POST['name'])){
echo "good";
}
else{
echo "string";
}
And all I get back is string. Which is weird because I'm posting the value and I set the name. I've done this tons of times, this is the only time i've ever had an issue. Any ideas?
Add the .php extension to the file location process_forgot...this should fix the issue because without that you have a redirect and all the POST data are lost; for this reason it always runs echo "string".
1) It may sound dumb, but try to see if you require a .php extension in the end of process_forgot in your action.
2) Try directly going to [YourWebsite]/[YourDirectory]/process_forgot.php and see if the file is accessible. You will, depending on your code, probably get a blank page, but that is expected.
3) Check if there is any other problem in your code that is preventing the script from running properly.
to start I consider myself in between beginner and intermediate when it comes to PHP. On my website, I have a textarea that the user can input web code in and when a button is pressed, it sends the code to the page and displays the output. Here is the link to the page: http://opensourcewebsite.host22.com/editpage.php. Another problem that I am running into is that I want whatever the user enters to stay on the page.
Here is what the code looks like so far:
<?php $source_code = $_POST['source-code'}; ?>
...
<editable_area>
<?php echo $source_code ?>
</editable_area>
...
<form action="" method="post">
input class="result" type="submit" name="submit" value="View Result">
<textarea id="source" class="edit_are" name="source-code"></textarea>
Currently, when a user inputs code containing an id/class/name/etc. that has quotes in it, it is like when you do:
echo "<div id="Name">"
It will add the \" and thus messing up the code. I need to find a way to store the code so that it will display correctly. If you try the web page, you will see my issue first hand.
When the code is submitted, the textarea grabs the source code of the web page through javascript. I have discovered that if you leave out the "" in the code, it works as expected. The problem is that when it grabs the source code, there is quotes in it so the code will display them in the textare. This means every time you make a change, you need to take out all of the quotes.
Thanks to webbiedave, I fixed the quote problem by using:
<?php echo stripslashes($source_code) ?>
Now I just need to figure out how to permanently store changes.
<?php echo htmlentities(stripslashes($source_code)) ?>
Check if you have magic quotes turned on and make sure you turn them off. Also, you'll want to use htmlspecialchars to escape the special characters. Otherwise, they can just close your textarea and wreak other havoc.
echo htmlspecialchars($source_code);
Can you use single quotes instead:
'<div id="Name">';
so I've been fighting with this for a few days, and I just can't seem to make it work. Whenever I press the submit button, the browser should send the post variables to write.php, but instead, it just redirects back to the website homepage, or the Document Root. This should be really, really simple, and I've done it before, but now it doesn't work for me. What I want to know is if this is a problem with my webserver setup, or PHP, or just a stupid mistake on my part. It's just a simple HTML form, not really special, so here's the form itself, in index.php:
<p style="font-size:13px">
<?php
$rp = fopen('mainlog.txt', 'r');
while(!feof($rp))
{
$read = fgets($rp);
echo($read).('<br/>');
}
fclose($rp);
?>
</p>
<form action="write.php" method="post">
Name: <input type="text" name="user" /><br/>
Changes:<br/>
<textarea cols="70" rows="8" name="change" style="background-color:#555;color:#ccc;font-family:verdana,arial,helvetica,sans-serif;font-size:13px"></textarea><br/>
<input type="submit" value="Add Entry"/>
</form>
And here's where it send to, in write.php:
<?php
$fp = fopen('mainlog.txt', 'a');
$wr1 = $_POST['change'];
#$my_t = getdate(date("g"));
date_default_timezone_set("America/New_York");
$date = date("n").('/').date("d").('/').date("Y").(', ').date("g").(':').date("i").(':').date("s");
$who = $_POST['user'];
$write = $date.(' by ').$who.('
').$wr1.('
');
fwrite($fp, $write);
fclose($fp);
header('Location: http://www.zennixstudios.com/first/chlog/');
?>
I have tried this both on my Apache 2.2 dedicated server with PHP 5 on FreeBSD8.2, and on XAMPP for Windows, with the same results. I have a suspicion that it may have something to do with PHP, specifically PHP include(), because I have several of those on this page, and when I put this on a friend's computer with XAMPP, but without the included files, the include()s just put errors on the screen, but the HTML form suddenly works fine. So, are there any known conflicts with HTML forms and certain PHP functions?
Other Notes:
The code shown above for index.php is within the main page div, but if you want the whole page source just ask.
I'm pretty sure the error isn't in write.php, because I KNOW that the browser never sends anything to it, because it would at least put the date in mainlog.txt.
If you want to see what this looks like in context, go to http://www.zennixstudios.com/first/chlog/
Thanks,
Chaos
Here is your problem:
<table align="right"><tr><td align="right"><form action="/" method="post">Username: <input action="login.php" type="text" name="uname"/><br/>Password: <input type="password" name="passwd"/><br/><input type="submit" value="Login" align="right"/></td></tr></table>
You never closed the form up in your header for the username and password, so your <form action="/" method="post"> is being used for pretty much the entire page and your write.php form action is being ignored because a form is already, technically, open. You'll need to close the form in your header for the rest of your page to work properly.
To reiterate: nothing is being redirected, you're actually posting all the data from both 'forms' to the location / as specified.