3

enter image description here

I have made a script which saves a few lines of PHP to a .php file. All my scripts work perfectly fine, but just this page is starting to get annoying.

Explaination of what is happening in the GIF:

1: I change the settings - the last 2 settings need to appear when you enable the 2nd setting called "Custom style". That works fine and all. 2: So you enable it and for some reason it completely wipes the other 2 settings (the "primarycolor" and "adminbg").

How can this happen? What am I doing wrong? My script is below if you want to try it out yourself.

<?php
if (isset($_POST["submit"])) {
$string = '<?php 
$customoptions = '. $_POST["customoptions"] .';
$primarycolor = "'. $_POST["primarycolor"] .'";
$adminbg = "'. $_POST["adminbg"] .'";
?>';

$fp = fopen("includes/userstyle.php", "w");
fwrite($fp, $string);
fclose($fp);
}

include("includes/userstyle.php");
?>
<form action="" name="customopt" method="post">
<table>
<tr>
<td>Panel language</td>
<td>
<select onchange="this.options[this.selectedIndex].value && (window.location = this.options[this.selectedIndex].value);">
<option><?php echo $lang['chooselanguage']; ?></option>
<option value="dashboard.php?lang=en">English</option>
<option value="dashboard.php?lang=nl">Dutch</option>
</select>
</td>
</tr>
<tr>
<td>Custom Style</td>
<td><select name="customoptions" id="customoptions"><option value="true" <?php if($customoptions == true){ echo 'selected'; }; ?>><?php echo $lang['enabled']; ?></option><option value="false" <?php if($customoptions == false){ echo 'selected'; }; ?>><?php echo $lang['disabled']; ?></option></select></td>
</tr>
<?php if($customoptions) { ?>
<tr>
<td>Primary Color</td>
<td><input name="primarycolor" type="text" id="primarycolor" value="<?php echo $primarycolor; ?>"></td>
</tr>
<tr>
<td>Background Color</td>
<td><input name="adminbg" type="text" id="adminbg" value="<?php echo $adminbg; ?>"></td>
</tr>
<?php } ?>
</table>
<input type="submit" name="submit" value="<?php echo $lang['ok']; ?>">
</form>

EDIT: userstyle.php

<?php 
$customoptions = true;
$primarycolor = "555";
$adminbg = "fff";
?>
Improve this question
12
  • 4
    first of all: putting unsanitized data into a database is a bad idea - but putting it into an executable php-script like that is a VERY very very very bad idea - an attacker could hijack your whole server with this very easily. you probably should ask yourself "what do i want to achieve by writing my data in a script file instead of a database?" and as follow-up question "how can i prevent myself from writing data into a script file?" Commented Feb 9, 2016 at 14:40
  • @FranzGleichmann Correct, I know that but this is a simple test, it will never go live. Commented Feb 9, 2016 at 14:41
  • 1
    Nice idea adding an animated gif +1 just for that Commented Feb 9, 2016 at 14:45
  • 6
    I hate when people say "I'm not that far along..." or "This site will not be public..." or "It's only for school, so security doesn't matter...". If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, "I'll add security later...". If you don't have time to do it right the first time, when will you find the time to add it later? Commented Feb 9, 2016 at 14:45
  • 2
    ..If you don't have time to do it right the first time, when will you find the time to add it later? This line made my day @JayBlanchard. Great !! Commented Feb 9, 2016 at 14:54

1 Answer 1

Reset to default
2

When you post your form for the second time, you post empty values, and they are saved to file, as expected.

You should add something like

if (isset($_POST["submit"]) && !empty($_POST['primarycolor']) && !empty($_POST['adminbg'])) {
    // ...

But actually there can be another validation rules.

And as others noticed in comments — this is, even in educational purposes, very stupid idea to save user data into php file and then execute that file. The simplest alternative — save settings to a json file with json_encode, then decode, and don't forget to html-escape them with at least htmlspecialchars.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This is a good starting point to solving your problem; do not write PHP with PHP. Save your data as JSON if anything. Then, on page load, read the data from your JSON file. On POST, save your data to your JSON file and reload the page. The updates should now be reflected in your page.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.