PHP get content from form, write it to a php file and display html correct but don't execute php code
Question
I have a blogsystem where users can enter a name for a free url and the content which should be displayed on the url.
So.. the html-tags have to be rendered in browser but when they write php-code or other similar things they should not be executed when the user then visits the new site.
Right now I do it like this:
$new_url = $_POST["newurl"];
$header = file_get_contents("./header.php");
$part1 = "<?php echo html_entity_decode(\"";
$content = htmlspecialchars($_POST["content"]);
$part2 = "\"); ?>";
$footer = file_get_contents("./footer.php");
file_put_contents("./$new_url".".php",$header.$part1.$content.$part2.$footer);
Like that the html is rendered correctly in the users browser when he calls domain.tld/"url-he-entered".php
But I am unsure if this is a safe way or could the user still enter php-code in the content and it would be executed when he loads the new url?
1 answers
solution1
0 ACCPTED 2017-05-16 20:36:07
The comments from @CD001 solved the issue:
The whole idea is a security nightmare anyway mind - ideally you don't want a public facing application able to write anything within the DOCROOT unless you've got a really good handle on the security. You'd be better off storing whatever they enter in a database then using
mod_rewriteto hijack the URLs so that whatever the user's URL is, it pulls in your PHP but drops in their sanitised content from the DB (you could use something like http://htmlpurifier.org/ ).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.