How is it possible to allow a user to create a webpage containing some html, based on their entries in a form? ie. I would want them to be able to input a name and when the button is clicked, a webpage called that name would be created. I imagine that this must be possible in php, but what functions/code would I be using?
Thank you!
First of all, I would ask myself if this really what I need.
Why don't you just create a basic template page and pass the data as a parameter?
Something like:
user.php?name=joachim
If you still want to do that, you could use the PHP functions for opening, writing and closing files:
http://php.net/manual/en/function.fopen.php
http://php.net/manual/en/function.fwrite.php
http://php.net/manual/en/function.fclose.php
Here's a tutorial on how to create a file in php:
http://www.tizag.com/phpT/filecreate.php
This can pose big security risks in the first place, anyways, suppose form is submitted with html text, you can go about something like this:
$handle = fopen('file_name.html', 'r+');
// write to file
fwrite($handle, $_POST['fieldname']);
close($handle);
Note: You got to consider XSS and other security issues because you are allowing users to create pages. Bad guys can exploit it easily.
Resoures:
PHP File Handling Functions
XSS
Finally, a must read PHP security guide:
http://phpsec.org/projects/guide/
Idea:
Just allow them minimal of customization and use a pre-made page where you could insert this user data. Ofcourse as said, you need to sanitize the user-submitted data and consider security issues.
I would just have a page that acts as a template that populates based on the fields you mention, unless you actually need a physical file.
The template makes changes and security much easier.
UPDATE: Basically you can either have your form submit to a page that prints those POSTed fields to the appropriate spots or post to a database and then pull to the page.
You'd need to extract the entries of the form from the $_GET or $_POST arrays, and then use file writing functions such as fwrite to create a file. Theres an example on how to do a simple write here.
Excluding the fact that it is a security risk to allow users to create any files on the host...
You can create a file via fopen(), fwrite() and fclose() or using file_put_contents(). I prefer using some kind of template file which you load first, then add the user input values in it and then save the whole string via fwrite() or file_put_contents(). You get the user inputs from the $_GET or $_POST array, depending on the method you used in your form.
By saying "create a webpage containing some html, based on their entries in a form" I'm going to assume ( yeah yeah I know) that what you really mean is to determine the contents of a page by the entries from the form.
Gonna try and explain this as basically as possible, because I'm not completely sure I understand your intent.
When you write the form, you will have an tag that contains action="example.php". This means that it will perform the actions on example.php
In example.php, you can then retrieve the variables passed to it from the form by looking within your $_POST[] array variable. Then, you can change the structure of example.php or your result page by using the variables in php to determine what you print.
I don't think generating a physical file would be necessary, and since you're using a form to get the information in, $_GET is kind of pointless (I'd guess in most cases).
Related
I wish to store certain pieces of code in database tables as templates but I am unsure as to whether they are going to create problems or not. I keep reading mixed messages from various different people in different posts and I am just not happy that I am clear on this subject.
I have already worked out that you cannot really echo/ print PHP into a webpage. Obviously you can echo strings of HTML but it becomes awkward when you try to do it with PHP code. The only way I have managed to do this is through eval which is apparently bad in most cases... so I am using another method to implement the templates (i.e. writing a php file to be used as an include file)
The main question I am asking is: is there really a problem with storing the PHP code strings (which include SQL statements) inside text type fields (mediumtext, longtext etc) in tables? Could those SQL statements ever do anything like execute actual actions or would they just remain as text strings?
Just to clarify, the reason I am storing strings of code is because they are templates to be used should the web administrator wish to allocate them to a specific area (div) of the pages.
Use SMARTY or Twig template engine. This will neatly solve your problem and you will not need to store anything in the database. It will also keep your PHP code completely separate from your HTML.
Another option is to use
I can see the need for code in the database for instance if you have multiple sites and want to do a source control between them, and not use any 3rd party software.. I would store in a database and then write the code on to a actual physical page, then run the php from that page...
Do not do this. If your database is ever compromised and someone injects malicious PHP, it may be executed. You should store the templates as files and call them when needed.
And you actually can echo/print PHP. You would do it using eval.
The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.
This is quite a complex question for what is a complex idea and project. I'm wondering if there is a way to edit certain lines of a PHP page through a PHP page? One page, lets say (index.php) would be for the public whilst another (edit.php) would be the page to edit certain things on this page. I'm looking for a way to update the data, not just replace the file.
The edit.php file would show what is currently there and allow the user to change it and the save it. Is this possible? I can already see replies saying "Why are you not using a Database?"... It's easier this way, I think? Any suggestions are appreciated.
My recommendation would be to create an object that represents the information they can edit and then use PHPs serialize and unserialize to map it to a string and back.
The string can be stored in a text file and PHP handles changes to the object very gracefully if you add new properties.
If you want them to actually change PHP code, it could be very volatile.
I'm developing a web application where an html page is created for the user. The page could include anything that the user puts in it. We take these pages and add a little PHP at the top to check some things before outputting the actual html. It would look kind of like this:
<?php
require 'checksomestuff.php';
// User's html below
?>
<html>
<!-- user's html -->
</html>
Is there a way to stop PHP from parsing anything after my require? I need the html to be outputted, but, since the user can add anything they want to the html, I don't want any user-added PHP to be executed. Obviously that would be a security issue. So, I want the user's html to be outputted, but not parse any PHP. I would rather not have to put the user's html into another file.
One sensible way would be to offload the user created content to another file and then you should load this file (in your main php file) and output it as is - without parsing it as PHP.
There are many other ways to do this but if creating another file does the job for you then thats probably the best way forward.
UPDATE: Really must read last line of question!
You could encode the html into a variable using base64 encoding which you then just print out the decoded string.
If you don't store the file data in a php file, say n a txt or html file, the php won't be evaluated.
Alternatively you could read the file via file_get_contents() or by some other means which doesn't involve evaluating php.
Though I'm still tempted to ask why you want to do this (particularly this way), it sounds to me like one of the only things that can help you is the special __halt_compiler() function...
That should prevent it from executing the rest of the page, and may or may not output the rest of it. If not, well, read the first (and currently only) example in the PHP's manual for that function (linked above) for how to do it manually.
The only trouble I see with this method is that you'd probably have to have that code in every file you want to do this for, after your require.
I'm working on a site in php. Originally I had a lot of html pages but they were all very similar in that they had a heading, an image, and some text. I was able to consolidate my pages into one php page and pass in the heading and image name as GET variables. I wouldn't want to pass a lot of text this way though. What's the best way to do this? I was thinking of including the text from a text file but then I'd have a text file for every item. I also thought that I could have a database and read the text from there. What do you guys think?
According to me, it is better you use the database and just pass the ID's, through the $_GET.
You can divide your page in three sections.
header.php // including all the header section
body.php // your main content, varying according the $_GET
footer.php // footer section
Thanks.
pass in the heading and image name as GET variables
This is probably not secure. And its a bad coding practice to rely on GET's for your page structure. Why not use includes?
As for storing the data, the database is the way to go, flat files suck.
So, you could pass a unique ID for the text, and always include your header and footer:
include_once('header.php');
//If the id is valid, use it to query the text from the database.
include_once('footer.php');
You're right, using GET variables is inconvenient. It is also very insecure, since an attacker could trick a user into following a link which would inject HTML into the page, which could then pass the user's cookies to the attacker.
The most common approach is to store the various content blocks in a database such as MySQL. See the PHP MySQL docs to get started. You can then set up a simple form or WYSIWYG editor such as TinyMCE to allow the site administrator to edit content.
Hi I have a web form that sends a string to one php file which redirects them to a corresponding URL. I've searched about web form hacking and I've only received information about PHP and SQL... my site only uses a single PHP file, very basic etc. Would it be open to any exploits? I'm obviously not going to post the URL, but here is some code I was working on for the php file:
Newbie PHP coding problem: header function (maybe, I need someone to check my code)
Thanks
From that little snippet, I don't see anything dangerous. "Hackers" can enter pretty much anything they want into $_REQUEST['sport'] and thereby $searchsport, but the only place you use it is to access your array. If it's not found in your array.... nothing much will happen. I think you're safe in this limited scenario ;) Just be careful not to use $searchsport for...... just about anything else. Echoing it, or inserting it into a DB is dangerous.
Uh, it really depends. If you are inserting data into a MySQL DB without sanitizing, the answer is a huge yes. This is something you need to decide for yourself if you aren't going to show code.
The solution you've got in the linked question is pretty safe.
Every possible action is hardcoded in your script.
Nothing to worry about.
Though asking for the "web form like this" you'd better to provide a web form. Not the link to the question that contains a code that can be presumed as this form's handler.