html/php create and save text file to root directory with custom filename

Question

I want to create a text file through my website page with a self-define filename. Can it be done with only html or php is needed?

Here is my code:

  <form id="raw-text" > <textarea name="raw" rows="10" id="raw" style="word-wrap: break-word; resize: horizontal; height: 700px; width: 99%"></textarea> </form> <input id=“filename" placeholder="File Name here"></input> <button name="submit" onclick="form.echo()" >Send!</button> 

Answer 1

HTML can't create files.

Assuming you have a single file (let's call it “index.php”), here is an example of code necessary to deal with both the server-side php code and the client-side html code.

<?php
    if( $_POST["name"] || $_POST["data"] ) {
        $name   = $_POST['name'];
        $data   = $_POST['data'];

        if(file_exists($name)){
            // Do something if file already exists

        }else{
            // Creates file if it doens't exist
            file_put_contents($name , $data);
        }
        exit();
    }
?>
<html>
    <body>
        <form action = "?" method = "POST" id="raw-text" >
            <textarea name="data" rows="10" id="raw" style="word-wrap: break-word; resize: horizontal; height: 700px; width: 99%"></textarea>
            <input name="name" placeholder="File Name here"></input> 
            <button name="submit">Send!</button>
        </form>
    </body>
</html>

The above is capable of creating a file and inserting the data typed by the user.
If the php script is in a separate file, you can change the <form action = "?" to <form action = "Path_To_File" .

Note that:
$_POST['…'] retrieves the named html tags from the form.
See http://php.net/manual/en/function.file-put-contents.php for details about the file_put_contents php function.

But, I agree with comments, this is not a secure way to do.
This code is an example and you need to test many things to make it secure and implement it in your application.
And you need to be sure that the files that the users will be creating aren't system files or php files that allow them to do anything they want.

Answer 2

For security reasons, you should not let the user create files based on their input; especially letting the user set file names based on input.

If they created a .php file and then browsed to it, you would be allowing them to run their own PHP code on your server. This allows them a great amount of access to your system. They could also add .htaccess files, or .ini files, which would be very bad as well.

The number of checks you would need in order to ensure the correct data is entered and that the files could not be used to exploit your system would be huge, and you would almost certainly miss something that could be exploited. The best answer is to not allow this and to find a different way to do what you want.