PHP write variables to file

gaptrast

Member
Messages
123
Reaction score
0
Points
16
Hi,

I have a form, and want to transfer all info typed into another php document as variables!

Here is the form:
HTML:
<form action=".index.php" method="get" class="form">

<input type="text" name="title" />

<input type="text" name="brief" />

<input type="submit" />

</form>

But this php code just writes "0" to the file:
PHP:
$myFile = "../phpprofiles/pahhh.php";
$fh = fopen($myFile, 'w') or die("can't open file");
$stringData = '
<?php
$title = "'+ $_GET["title"] +'";

$description = "'+$_GET["info"]+'";

$image = "'+$_GET["screenshot"]+'";

$name = "'+str_replace( " ", "", $_GET["title"] )+'";

$howtostop = "'+ $_GET["stop"] +'";

$tags="'+ $_GET["tags"] +'","'+ $_GET["tags2"] +'","'+ $_GET["tags3"] +'";


$producer="'+ $_GET["producer"] +'";
?>
';
fwrite($fh, $stringData);
fclose($fh);

Is there a way to solve this?
 

cybrax

Community Advocate
Community Support
Messages
764
Reaction score
27
Points
0
First steps are never easy, so always a good idea to go through all the tutorials. Though must admit there is a distinct lack of intermediate scripting help about for those trying to put it all together. PHP.net is a good place to find basic snippets.

Here's some quick code for inspiration, handy for many uses including blogging and adding comments to a page. Everthing gets stored in an external file called 'data.txt'.

PHP:
<?php
$title     = stripslashes($_POST["title"]);
$brief     = stripslashes($_POST["brief"]);


$output = '<h2>'.$title.'</h2><p>'.$brief.'</p>';

if ($title != '' && $brief !='') {
$datFile = 'data.txt';//write new data to file
								$fh = fopen($datFile, 'w') or die("can't open file"); // 'w' = overwite existing file, 'a' = add to file
								fwrite($fh,$output);
								fclose($fh);// 
}

$content= @file_get_contents("data.txt");
?>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body><form action="novice1.php" method="post">
  <table width="330" border="0" cellpadding="5" cellspacing="5">
    <tr>
      <td bgcolor="#FF6600"><h2>Data In File: </h2></td>
    </tr>
    <tr>
      <td bgcolor="#FFCC00"> <?php echo $content; ?></td>
    </tr>
    <tr>
      <td>&nbsp;</td>
    </tr>
    <tr>
      <td bgcolor="#33CCFF"><label>
        <input name="title" type="text" id="title" value="title" size="30" />
      </label></td>
    </tr>
    <tr>
      <td bgcolor="#0066FF"><label>
        <textarea name="brief" cols="20" id="brief">text description</textarea>
      </label></td>
    </tr>
    <tr>
      <td><label>
        <input type="submit" name="Submit" value="Submit" />
      </label></td>
    </tr>
  </table>
</form>
</body>
</html>
 

descalzo

Grim Squeaker
Community Support
Messages
9,373
Reaction score
326
Points
83
PHP:
$stringData = '
<?php
$title = "'

+ 

$_GET["title"] 

+

'";

$description = "'

+

$_GET["info"]

+

'";

$image = "'

+

$_GET["screenshot"]

+

'";

$name = "'

+

str_replace( " ", "", $_GET["title"] )

+

'";

$howtostop = "'

+ 

$_GET["stop"] 

+

'";

$tags="'

+

 $_GET["tags"] 

+

'","'

+ 

$_GET["tags2"] 

+

'","'

+

 $_GET["tags3"] 

+

'";


$producer="'

+ 

$_GET["producer"] 

+

'";
?>
'    ;

In PHP '+' is just for addition. So your code turns all the strings into numbers (all 0) and adds them.

You want '.' to concatenate strings.
 

misson

Community Paragon
Community Support
Messages
2,572
Reaction score
72
Points
48
Another option is to use heredoc syntax for the file content. Note that, as written, you've got quite a serious code injection problem. It can be tricky to sanitize the input properly, which is why generating PHP containing user input is a bad idea. One alternative is to generate an INI file, which you can later load with parse_ini_file.

PHP:
<?php

$myFile = "../iniprofiles/pahhh.ini"; 
$fh = fopen($myFile, 'w'); 
if (! $fh) {
    /* don't use "die" if outputting HTML */
    ...
} else {
    /* Sanitize input */
    if (get_magic_quotes_gpc()) {
        foreach ($_REQUEST as $key => $val) {
            $_REQUEST[$key] = stripslashes($val);
        }
    }
    /* 'strip_tags' may or may not be appropriate, depending on where the data 
     * will end up. For example, some HTML be allowed in the description.
     */
    $data = str_replace("\n", ' ', array_map('strip_tags', $_REQUEST));
    $data['title'] = str_replace( " ", "", $data["title"]);
    # 'array_filter' will remove empty values
    $data['tags'] = implode(',', array_filter(array_intersect_key(
                                                    array('tags'=>1, 'tags2'=>1, 'tags3'=>1),
                                                    $data)));
    $stringData =<<<EOF
title={$data["title"]}
description={$data["info"]}
image={$data["screenshot"]}
name={$data["title"]}
howtostop={$data["stop"]}
tags={$data["tags"]}
producer={$data["producer"]}
EOF;

    fwrite($fh, $stringData); 
    fclose($fh);
}

If for some reason you insist on generating a PHP script, look into applying addslashes if magic quotes are off, but it's still dangerous to mix host and embedded languages when generating output.
 
Last edited:
Top