PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
ziggy3000
Forum Contributor
Posts: 205 Joined: Fri Mar 23, 2007 3:04 pm
Post
by ziggy3000 » Fri Mar 23, 2007 3:10 pm
Jcart | Please use Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Can any one help me with this? I dont know whats wrong with this.Code: Select all
<hmtl>
<head>
<title>Configuration File Maker</title>
</head>
<body>
<center><h3>Configuration file Maker</h3></center>
<form method="post" action="$_SERVER['PHP_SELF']">
Site Title: <input type="text" name="site_title"><br>
Database Host(Usually Localhost): <input type="text" name="db_host"><br>
Database Username: <input type="text" name="db_user"><br>
Database Password: <input type="password" name="db_pass"><br>
Database Name: <input type="text" name="db_name"><br>
<input type="submit" name="submit" value="Register">
</form>
<?php
if (isset($_POST["submit"]))
{
$site_title = htmlspecialchars(mysql_real_escape_string($_POST["site_title"])); // Site title
$db_host = htmlspecialchars(mysql_real_escape_string($_POST["db_host"])); // Database Host
$db_user = htmlspecialchars(mysql_real_escape_string($_POST["db_user"])); // Database Username
$db_pass = htmlspecialchars(mysql_real_escape_string($_POST["db_pass"])); // Database Password
$db_name = htmlspecialchars(mysql_real_escape_string($_POST["db_name"])); // Database Name
}
$content = "<?php
define('site_title', '$site_title');
define('db_host', '$db_host');
define('db_user', '$db_user');
define('db_pass', '$db_pass');
define('db_name', '$db_name');
?>";
$fp = fopen($file_to_write, 'w');
fwrite($fp, $content);
fclose($fp);
echo "Success! <br>";
echo "$file_to_write";
echo " has been written";
?>
</body>
</html>
Jcart | Please use Code: Select all
and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Last edited by
ziggy3000 on Fri Apr 06, 2007 5:55 pm, edited 4 times in total.
Kieran Huggins
DevNet Master
Posts: 3635 Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:
Post
by Kieran Huggins » Fri Mar 23, 2007 3:15 pm
<hmtl>?
grab an editor with syntax highlighting - it makes worlds of difference
John Cartwright
Site Admin
Posts: 11470 Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:
Post
by John Cartwright » Fri Mar 23, 2007 3:16 pm
ziggy3000 wrote: Can any one help me with this? I dont know whats wrong with this.
Neither will we if you don't tell us whats happening. Error? Notices?
From taking a quick glance however, your trying to use mysql_real_escape_string() without a database connection.
Last edited by
John Cartwright on Fri Mar 23, 2007 3:17 pm, edited 1 time in total.
louie35
Forum Contributor
Posts: 144 Joined: Fri Jan 26, 2007 8:40 am
Location: Dublin
Contact:
Post
by louie35 » Fri Mar 23, 2007 3:16 pm
What error are you getting?
try this way:
Code: Select all
<hmtl>
<head>
<title>Configuration File Maker</title>
</head>
<body>
<center><h3>Configuration file Maker</h3></center>
<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>">
Site Title: <input type="text" name="site_title"><br>
Database Host(Usually Localhost): <input type="text" name="db_host"><br>
Database Username: <input type="text" name="db_user"><br>
Database Password: <input type="password" name="db_pass"><br>
Database Name: <input type="text" name="db_name"><br>
<input type="submit" name="submit" value="Register">
</form>
<?php
if (isset($_POST["submit"])) {
$site_title = htmlspecialchars(mysql_real_escape_string($_POST["site_title"])); // Site title
$db_host = htmlspecialchars(mysql_real_escape_string($_POST["db_host"])); // Database Host
$db_user = htmlspecialchars(mysql_real_escape_string($_POST["db_user"])); // Database Username
$db_pass = htmlspecialchars(mysql_real_escape_string($_POST["db_pass"])); // Database Password
$db_name = htmlspecialchars(mysql_real_escape_string($_POST["db_name"])); // Database Name
$content = "<?php
define('site_title', '$site_title');
define('db_host', '$db_host');
define('db_user', '$db_user');
define('db_pass', '$db_pass');
define('db_name', '$db_name');
?>";
$fp = fopen($file_to_write, 'w');
fwrite($fp, $content);
fclose($fp);
echo "Success! <br>";
echo "$file_to_write";
echo " has been written";
}else{
echo "please fill in the form";
} //end if
?>
Kieran Huggins
DevNet Master
Posts: 3635 Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:
Post
by Kieran Huggins » Fri Mar 23, 2007 3:18 pm
also, where is $file_to_write being set?
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Fri Mar 23, 2007 3:30 pm
This looks like a dangerous script.
John Cartwright
Site Admin
Posts: 11470 Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:
Post
by John Cartwright » Fri Mar 23, 2007 3:34 pm
feyd wrote: This looks like a dangerous script.
Indeed, I didn't even notice he was building a literal php code to be eval'd. Instead, store a name pair value, and consider parsing your configuration file into a php array.
ziggy3000
Forum Contributor
Posts: 205 Joined: Fri Mar 23, 2007 3:04 pm
Post
by ziggy3000 » Fri Mar 23, 2007 3:36 pm
i am getting the following errors
Warning: fwrite(): supplied argument is not a valid stream resource in C:\Server\Apache\htdocs\configmaker.php on line 36
Warning: fclose(): supplied argument is not a valid stream resource in C:\Server\Apache\htdocs\configmaker.php on line 37
John Cartwright
Site Admin
Posts: 11470 Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:
Post
by John Cartwright » Fri Mar 23, 2007 3:37 pm
Kieran Huggins wrote: also, where is $file_to_write being set?
ziggy3000
Forum Contributor
Posts: 205 Joined: Fri Mar 23, 2007 3:04 pm
Post
by ziggy3000 » Fri Mar 23, 2007 3:42 pm
I fixed some errors now.
Code: Select all
<html>
<head>
<title>Configuration File Maker</title>
</head>
<body>
<center><h3>Configuration file Maker</h3></center>
<form method="post" action="$_SERVER['PHP_SELF']">
Site Title: <input type="text" name="site_title"><br>
Database Host(Usually Localhost): <input type="text" name="db_host"><br>
Database Username: <input type="text" name="db_user"><br>
Database Password: <input type="password" name="db_pass"><br>
Database Name: <input type="text" name="db_name"><br>
<input type="submit" name="submit" value="Register">
</form>
<?php
if (isset($_POST["submit"]))
{
$site_title = $_POST["site_title"]; // Site title
$db_host = $_POST["db_host"]; // Database Host
$db_user = $_POST["db_user"]; // Database User name
$db_pass = $_POST["db_pass"]; // Database Password
$db_name = $_POST["db_name"]; // Database Name
}
$content = "<?php
define('site_title', '$site_title');
define('db_host', '$db_host');
define('db_user', '$db_user');
define('db_pass', '$db_pass');
define('db_name', '$db_name');
?>";
$file_to_write = "Config.php"
$fp = fopen($file_to_write, 'w');
fwrite($fp, $content);
fclose($fp);
echo "Success! <br>";
echo "$file_to_write";
echo " has been written";
?>
</body>
</html>
Last edited by
ziggy3000 on Fri Mar 23, 2007 3:44 pm, edited 1 time in total.
Ambush Commander
DevNet Master
Posts: 3698 Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US
Post
by Ambush Commander » Fri Mar 23, 2007 3:43 pm
You need to perform some sort of authentication to make sure the user is authorized to write the PHP file.
John Cartwright
Site Admin
Posts: 11470 Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:
Post
by John Cartwright » Fri Mar 23, 2007 3:44 pm
Ignoring the security implications...
What errors did you fix? Is it working now? Gotto be more descriptive.
ziggy3000
Forum Contributor
Posts: 205 Joined: Fri Mar 23, 2007 3:04 pm
Post
by ziggy3000 » Fri Mar 23, 2007 3:47 pm
sorry..
i am getting this error
Parse error: parse error, unexpected T_VARIABLE in C:\Server\Apache\htdocs\configmaker.php on line 35
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Fri Mar 23, 2007 3:48 pm
Things left to fix:
PHP_SELF.
Looking for the submit button.
Code injection opportunities.
Variable existence checking.
Also, using constants for sensitive information such as the database host, user and password can leave the end site using these scripts vulnerable by the exploitation of one of their scripts.
John Cartwright
Site Admin
Posts: 11470 Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:
Post
by John Cartwright » Fri Mar 23, 2007 3:49 pm
Just want to say one more time, there are serious security implications with that script. A user could easily inject php code into your script.
Anyhow, your missing a semi colon