Re: OT: How to use html form input to append input to a file…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MEric Cope at <-
M 
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Alex Dean
Date:  
To: Main PLUG discussion list
Subject: Re: OT: How to use html form input to append input to a file?

On Jul 26, 2011, at 2:17 PM, Eric Cope wrote:

> Hey Joe,
> That script has the basics to get it working, but there is a big caveat. You need to scrub the form input to prevent ALL malicious inputs from reaching the file. I'd hate to see someone put "rm -rf /" in the file and execute it.

I don't see any code that's actually executing the user-submitted data. If someone submitted 'rm -rf /', that string would be saved to the txt file, but there's no inherent danger in that.

Joe: Make sure that the file you're writing to is outside of the web server's document root. If you can browse to the txt file, then there is a security problem. Someone could submit malicious HTML/JavaScript/etc and then get others to view it.

> On Tue, Jul 26, 2011 at 1:42 PM, <> wrote:
>
>
> <?php
> $name = $_POST['name'];
> $email = $_POST['email'];
> $fp = fopen("formdata.txt", "a");
> $savestring = $name . "," . $email . "n";

That "n" should be a "\n".

> fwrite($fp, $savestring);
> fclose($fp);
> echo "Your data has been saved in a text file.>";

Remove the final ">" in that string. Or change it to '&gt;' if you want to see a '>'.
http://en.wikipedia.org/wiki/Character_encodings_in_HTML#HTML_character_references

> ?>
>
> 3) "input-text.htm" containing this code:
>
> <form name=webform id=webform method=post action=process-form-data.php>
> Name: <input type=text name=name id=name> <br>
> Email: <input type=text name=email id=email> <br>
> <input type=submit name=s1 id=s1 value=Submit></form>
>
> When I try to run it, it just displays the php code
> and I see these messages repeated several times:

Sounds like your web server is not configured to execute PHP scripts. Make sure that PHP is installed, and that Apache (or other web server) is configured appropriately. http://www.php.net/install


>
> QPainter::begin: Widget painting can only begin as a result of a paintEvent
> QPainter::translate: Painter not active
> QPainter::setClipRect: Painter not active
> QPainter::font: Painter not active
> QPainter::setFont: Painter not active
> QPainter::setPen: Painter not active
> QPainter::worldTransform: Painter not active
> QWidget::repaint: Recursive repaint detected
> QWidget::repaint: Recursive repaint detected

Those are QT errors. I have no idea why you're seeing them as the result of a web form submission.

alex
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: OT: How to use html form input to append input to a file?Sysadmin Appreciation Day TOYS Friday July 29->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)