OT: How to use html form input to append input to a file?

Alex Dean alex at crackpot.org
Wed Jul 27 08:08:49 MST 2011


On Jul 26, 2011, at 2:17 PM, Eric Cope wrote:

> Hey Joe,
> That script has the basics to get it working, but there is a big caveat. You need to scrub the form input to prevent ALL malicious inputs from reaching the file. I'd hate to see someone put "rm -rf /" in the file and execute it.

I don't see any code that's actually executing the user-submitted data.  If someone submitted 'rm -rf /', that string would be saved to the txt file, but there's no inherent danger in that.

Joe: Make sure that the file you're writing to is outside of the web server's document root.  If you can browse to the txt file, then there is a security problem.  Someone could submit malicious HTML/JavaScript/etc and then get others to view it.

> On Tue, Jul 26, 2011 at 1:42 PM, <joe at actionline.com> wrote:
> 
> 
> <?php
> $name = $_POST['name'];
> $email = $_POST['email'];
> $fp = fopen("formdata.txt", "a");
> $savestring = $name . "," . $email . "n";

That "n" should be a "\n".

> fwrite($fp, $savestring);
> fclose($fp);
> echo "Your data has been saved in a text file.>";

Remove the final ">" in that string.  Or change it to '>' if you want to see a '>'. 
http://en.wikipedia.org/wiki/Character_encodings_in_HTML#HTML_character_references

> ?>
> 
> 3) "input-text.htm" containing this code:
> 
> <form name=webform id=webform method=post action=process-form-data.php>
> Name: <input type=text name=name id=name> <br>
> Email: <input type=text name=email id=email> <br>
> <input type=submit name=s1 id=s1 value=Submit></form>
> 
> When I try to run it, it just displays the php code
> and I see these messages repeated several times:

Sounds like your web server is not configured to execute PHP scripts.  Make sure that PHP is installed, and that Apache (or other web server) is configured appropriately.  http://www.php.net/install


> 
> QPainter::begin: Widget painting can only begin as a result of a paintEvent
> QPainter::translate: Painter not active
> QPainter::setClipRect: Painter not active
> QPainter::font: Painter not active
> QPainter::setFont: Painter not active
> QPainter::setPen: Painter not active
> QPainter::worldTransform: Painter not active
> QWidget::repaint: Recursive repaint detected
> QWidget::repaint: Recursive repaint detected

Those are QT errors.  I have no idea why you're seeing them as the result of a web form submission.

alex


More information about the PLUG-discuss mailing list