Page 1 of 3

Config.php maker NEED HELP!

Posted: Fri Mar 23, 2007 3:10 pm
by ziggy3000
Jcart | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Can any one help me with this? I dont know whats wrong with this.

Code: Select all

<hmtl>
<head>
<title>Configuration File Maker</title>
</head>
<body>
<center><h3>Configuration file Maker</h3></center>
<form method="post" action="$_SERVER['PHP_SELF']">
Site Title: <input type="text" name="site_title"><br>
Database Host(Usually Localhost): <input type="text" name="db_host"><br>
Database Username: <input type="text" name="db_user"><br>
Database Password: <input type="password" name="db_pass"><br>
Database Name: <input type="text" name="db_name"><br>
<input type="submit" name="submit" value="Register">
</form> 

<?php
if (isset($_POST["submit"]))
 {
  $site_title = htmlspecialchars(mysql_real_escape_string($_POST["site_title"])); // Site title
  $db_host = htmlspecialchars(mysql_real_escape_string($_POST["db_host"])); // Database Host
  $db_user = htmlspecialchars(mysql_real_escape_string($_POST["db_user"])); // Database Username
  $db_pass = htmlspecialchars(mysql_real_escape_string($_POST["db_pass"])); // Database Password
  $db_name = htmlspecialchars(mysql_real_escape_string($_POST["db_name"])); // Database Name
  }
  
$content = "<?php
define('site_title', '$site_title');
define('db_host', '$db_host');
define('db_user', '$db_user');
define('db_pass', '$db_pass');
define('db_name', '$db_name');
?>";

$fp = fopen($file_to_write, 'w');
fwrite($fp, $content);
fclose($fp);
echo "Success! <br>";
echo "$file_to_write";
echo " has been written";

?> 
</body>
</html>

Jcart | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Fri Mar 23, 2007 3:15 pm
by Kieran Huggins
<hmtl>?

grab an editor with syntax highlighting - it makes worlds of difference

Posted: Fri Mar 23, 2007 3:16 pm
by John Cartwright
ziggy3000 wrote:Can any one help me with this? I dont know whats wrong with this.
Neither will we if you don't tell us whats happening. Error? Notices?

From taking a quick glance however, your trying to use mysql_real_escape_string() without a database connection.

Posted: Fri Mar 23, 2007 3:16 pm
by louie35
What error are you getting?

try this way:

Code: Select all

<hmtl> 
<head> 
<title>Configuration File Maker</title> 
</head> 
<body> 
<center><h3>Configuration file Maker</h3></center> 
<form method="post" action="<?php echo $_SERVER['PHP_SELF'];?>"> 
Site Title: <input type="text" name="site_title"><br> 
Database Host(Usually Localhost): <input type="text" name="db_host"><br> 
Database Username: <input type="text" name="db_user"><br> 
Database Password: <input type="password" name="db_pass"><br> 
Database Name: <input type="text" name="db_name"><br> 
<input type="submit" name="submit" value="Register"> 
</form> 

<?php 
if (isset($_POST["submit"]))  { 
  $site_title = htmlspecialchars(mysql_real_escape_string($_POST["site_title"])); // Site title 
  $db_host = htmlspecialchars(mysql_real_escape_string($_POST["db_host"])); // Database Host 
  $db_user = htmlspecialchars(mysql_real_escape_string($_POST["db_user"])); // Database Username 
  $db_pass = htmlspecialchars(mysql_real_escape_string($_POST["db_pass"])); // Database Password 
  $db_name = htmlspecialchars(mysql_real_escape_string($_POST["db_name"])); // Database Name 

  
$content = "<?php 
define('site_title', '$site_title'); 
define('db_host', '$db_host'); 
define('db_user', '$db_user'); 
define('db_pass', '$db_pass'); 
define('db_name', '$db_name'); 
?>"; 

$fp = fopen($file_to_write, 'w'); 
fwrite($fp, $content); 
fclose($fp); 
echo "Success! <br>"; 
echo "$file_to_write"; 
echo " has been written"; 

}else{

  echo "please fill in the form";

} //end if
?>

Posted: Fri Mar 23, 2007 3:18 pm
by Kieran Huggins
also, where is $file_to_write being set?

Posted: Fri Mar 23, 2007 3:30 pm
by feyd
This looks like a dangerous script. :?

Posted: Fri Mar 23, 2007 3:34 pm
by John Cartwright
feyd wrote:This looks like a dangerous script. :?
Indeed, I didn't even notice he was building a literal php code to be eval'd. Instead, store a name pair value, and consider parsing your configuration file into a php array.

Errors

Posted: Fri Mar 23, 2007 3:36 pm
by ziggy3000
i am getting the following errors

Warning: fwrite(): supplied argument is not a valid stream resource in C:\Server\Apache\htdocs\configmaker.php on line 36

Warning: fclose(): supplied argument is not a valid stream resource in C:\Server\Apache\htdocs\configmaker.php on line 37

Posted: Fri Mar 23, 2007 3:37 pm
by John Cartwright
Kieran Huggins wrote:also, where is $file_to_write being set?

Posted: Fri Mar 23, 2007 3:42 pm
by ziggy3000
I fixed some errors now.

Code: Select all

<html>
<head>
<title>Configuration File Maker</title>
</head>
<body>
<center><h3>Configuration file Maker</h3></center>
<form method="post" action="$_SERVER['PHP_SELF']">
Site Title: <input type="text" name="site_title"><br>
Database Host(Usually Localhost): <input type="text" name="db_host"><br>
Database Username: <input type="text" name="db_user"><br>
Database Password: <input type="password" name="db_pass"><br>
Database Name: <input type="text" name="db_name"><br>
<input type="submit" name="submit" value="Register">
</form> 

<?php
if (isset($_POST["submit"]))
 {
  $site_title = $_POST["site_title"]; // Site title
  $db_host = $_POST["db_host"]; // Database Host
  $db_user = $_POST["db_user"]; // Database User name
  $db_pass = $_POST["db_pass"]; // Database Password
  $db_name = $_POST["db_name"]; // Database Name
  }
  
$content = "<?php
define('site_title', '$site_title');
define('db_host', '$db_host');
define('db_user', '$db_user');
define('db_pass', '$db_pass');
define('db_name', '$db_name');
?>";

$file_to_write = "Config.php"
$fp = fopen($file_to_write, 'w');
fwrite($fp, $content);
fclose($fp);
echo "Success! <br>";
echo "$file_to_write";
echo " has been written";

?> 
</body>
</html>

Posted: Fri Mar 23, 2007 3:43 pm
by Ambush Commander
You need to perform some sort of authentication to make sure the user is authorized to write the PHP file.

Posted: Fri Mar 23, 2007 3:44 pm
by John Cartwright
Ignoring the security implications...

What errors did you fix? Is it working now? Gotto be more descriptive.

Posted: Fri Mar 23, 2007 3:47 pm
by ziggy3000
sorry..

i am getting this error


Parse error: parse error, unexpected T_VARIABLE in C:\Server\Apache\htdocs\configmaker.php on line 35

Posted: Fri Mar 23, 2007 3:48 pm
by feyd
Things left to fix:
  • PHP_SELF.
  • Looking for the submit button.
  • Code injection opportunities.
  • Variable existence checking.
Also, using constants for sensitive information such as the database host, user and password can leave the end site using these scripts vulnerable by the exploitation of one of their scripts.

Posted: Fri Mar 23, 2007 3:49 pm
by John Cartwright
Just want to say one more time, there are serious security implications with that script. A user could easily inject php code into your script.

Anyhow, your missing a semi colon