Config.php maker NEED HELP!

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

ziggy3000
Forum Contributor
Posts: 205
Joined: Fri Mar 23, 2007 3:04 pm

Config.php maker NEED HELP!

Post by ziggy3000 »

Jcart | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Can any one help me with this? I dont know whats wrong with this.

Code: Select all

<hmtl>
<head>
<title>Configuration File Maker</title>
</head>
<body>
<center><h3>Configuration file Maker</h3></center>
<form method="post" action="$_SERVER['PHP_SELF']">
Site Title: <input type="text" name="site_title"><br>
Database Host(Usually Localhost): <input type="text" name="db_host"><br>
Database Username: <input type="text" name="db_user"><br>
Database Password: <input type="password" name="db_pass"><br>
Database Name: <input type="text" name="db_name"><br>
<input type="submit" name="submit" value="Register">
</form> 

<?php
if (isset($_POST["submit"]))
 {
  $site_title = htmlspecialchars(mysql_real_escape_string($_POST["site_title"])); // Site title
  $db_host = htmlspecialchars(mysql_real_escape_string($_POST["db_host"])); // Database Host
  $db_user = htmlspecialchars(mysql_real_escape_string($_POST["db_user"])); // Database Username
  $db_pass = htmlspecialchars(mysql_real_escape_string($_POST["db_pass"])); // Database Password
  $db_name = htmlspecialchars(mysql_real_escape_string($_POST["db_name"])); // Database Name
  }
  
$content = "<?php
define('site_title', '$site_title');
define('db_host', '$db_host');
define('db_user', '$db_user');
define('db_pass', '$db_pass');
define('db_name', '$db_name');
?>";

$fp = fopen($file_to_write, 'w');
fwrite($fp, $content);
fclose($fp);
echo "Success! <br>";
echo "$file_to_write";
echo " has been written";

?> 
</body>
</html>

Jcart | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Last edited by ziggy3000 on Fri Apr 06, 2007 5:55 pm, edited 4 times in total.
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

<hmtl>?

grab an editor with syntax highlighting - it makes worlds of difference
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

ziggy3000 wrote:Can any one help me with this? I dont know whats wrong with this.
Neither will we if you don't tell us whats happening. Error? Notices?

From taking a quick glance however, your trying to use mysql_real_escape_string() without a database connection.
Last edited by John Cartwright on Fri Mar 23, 2007 3:17 pm, edited 1 time in total.
User avatar
louie35
Forum Contributor
Posts: 144
Joined: Fri Jan 26, 2007 8:40 am
Location: Dublin
Contact:

Post by louie35 »

What error are you getting?

try this way:

Code: Select all

<hmtl> 
<head> 
<title>Configuration File Maker</title> 
</head> 
<body> 
<center><h3>Configuration file Maker</h3></center> 
<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>"> 
Site Title: <input type="text" name="site_title"><br> 
Database Host(Usually Localhost): <input type="text" name="db_host"><br> 
Database Username: <input type="text" name="db_user"><br> 
Database Password: <input type="password" name="db_pass"><br> 
Database Name: <input type="text" name="db_name"><br> 
<input type="submit" name="submit" value="Register"> 
</form> 

<?php 
if (isset($_POST["submit"]))  { 
  $site_title = htmlspecialchars(mysql_real_escape_string($_POST["site_title"])); // Site title 
  $db_host = htmlspecialchars(mysql_real_escape_string($_POST["db_host"])); // Database Host 
  $db_user = htmlspecialchars(mysql_real_escape_string($_POST["db_user"])); // Database Username 
  $db_pass = htmlspecialchars(mysql_real_escape_string($_POST["db_pass"])); // Database Password 
  $db_name = htmlspecialchars(mysql_real_escape_string($_POST["db_name"])); // Database Name 

  
$content = "<?php 
define('site_title', '$site_title'); 
define('db_host', '$db_host'); 
define('db_user', '$db_user'); 
define('db_pass', '$db_pass'); 
define('db_name', '$db_name'); 
?>"; 

$fp = fopen($file_to_write, 'w'); 
fwrite($fp, $content); 
fclose($fp); 
echo "Success! <br>"; 
echo "$file_to_write"; 
echo " has been written"; 

}else{

  echo "please fill in the form";

} //end if
?>
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

also, where is $file_to_write being set?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

This looks like a dangerous script. :?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

feyd wrote:This looks like a dangerous script. :?
Indeed, I didn't even notice he was building a literal php code to be eval'd. Instead, store a name pair value, and consider parsing your configuration file into a php array.
ziggy3000
Forum Contributor
Posts: 205
Joined: Fri Mar 23, 2007 3:04 pm

Errors

Post by ziggy3000 »

i am getting the following errors

Warning: fwrite(): supplied argument is not a valid stream resource in C:\Server\Apache\htdocs\configmaker.php on line 36

Warning: fclose(): supplied argument is not a valid stream resource in C:\Server\Apache\htdocs\configmaker.php on line 37
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Kieran Huggins wrote:also, where is $file_to_write being set?
ziggy3000
Forum Contributor
Posts: 205
Joined: Fri Mar 23, 2007 3:04 pm

Post by ziggy3000 »

I fixed some errors now.

Code: Select all

<html>
<head>
<title>Configuration File Maker</title>
</head>
<body>
<center><h3>Configuration file Maker</h3></center>
<form method="post" action="$_SERVER['PHP_SELF']">
Site Title: <input type="text" name="site_title"><br>
Database Host(Usually Localhost): <input type="text" name="db_host"><br>
Database Username: <input type="text" name="db_user"><br>
Database Password: <input type="password" name="db_pass"><br>
Database Name: <input type="text" name="db_name"><br>
<input type="submit" name="submit" value="Register">
</form> 

<?php
if (isset($_POST["submit"]))
 {
  $site_title = $_POST["site_title"]; // Site title
  $db_host = $_POST["db_host"]; // Database Host
  $db_user = $_POST["db_user"]; // Database User name
  $db_pass = $_POST["db_pass"]; // Database Password
  $db_name = $_POST["db_name"]; // Database Name
  }
  
$content = "<?php
define('site_title', '$site_title');
define('db_host', '$db_host');
define('db_user', '$db_user');
define('db_pass', '$db_pass');
define('db_name', '$db_name');
?>";

$file_to_write = "Config.php"
$fp = fopen($file_to_write, 'w');
fwrite($fp, $content);
fclose($fp);
echo "Success! <br>";
echo "$file_to_write";
echo " has been written";

?> 
</body>
</html>
Last edited by ziggy3000 on Fri Mar 23, 2007 3:44 pm, edited 1 time in total.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

You need to perform some sort of authentication to make sure the user is authorized to write the PHP file.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Ignoring the security implications...

What errors did you fix? Is it working now? Gotto be more descriptive.
ziggy3000
Forum Contributor
Posts: 205
Joined: Fri Mar 23, 2007 3:04 pm

Post by ziggy3000 »

sorry..

i am getting this error


Parse error: parse error, unexpected T_VARIABLE in C:\Server\Apache\htdocs\configmaker.php on line 35
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Things left to fix:
  • PHP_SELF.
  • Looking for the submit button.
  • Code injection opportunities.
  • Variable existence checking.
Also, using constants for sensitive information such as the database host, user and password can leave the end site using these scripts vulnerable by the exploitation of one of their scripts.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Just want to say one more time, there are serious security implications with that script. A user could easily inject php code into your script.

Anyhow, your missing a semi colon
Post Reply