How would I do this...

Channel5

I want to have a user insert their MySQL database information into a form.

How would I take that input and create a config.php file that the rest of the program would use to access the database?

foyer

Not totally sure what you are asking but it sounds very insecure.

Channel5

Well, you know how you generally have a config file that your program includes to connect to the MySQL database?

I want a user to be able to create that file the first time they'd run my code, like an install or setup page. Then once it was created, it wouldn't be able to be accessed again from a browser.

Any ideas?

foyer

Well, to create a file in php you can use fopen() and fwrite().. just create a PHP file with user submitted (and validated) data.

But I gotta warn you, creating a PHP file that includes data submitted by a user can be very harmful to ones server.

Channel5

foyer;10897433 wrote:
But I gotta warn you, creating a PHP file that includes data submitted by a user can be very harmful to ones server.

How so?

djjjozsi

if you have a template:, store it in a string,

$connect='<?php

/// For the following details,
/// please contact your server vendor

$hostname=\'***1\'; //// specify host, i.e. \'localhost\'
$user=\'****2\'; //// specify username
$pass=\'****3\'; //// specify password
$dbase=\'****4\'; //// specify database name
$connection = mysql_connect($hostname , $user , $pass)
or die ("Can\'t connect to MySQL");
$db = mysql_select_db($dbase , $connection) or die ("Can\'t select database.");
?>';

then create a form to ask these 4 values from the user,
and use the str_replace to add to this string the values.
$connect=str_replace('***1', htmlspecialchars($_POST["hostname"]),$connect);
$connect=str_replace('***2', htmlspecialchars($_POST["username"]),$connect);

ect...

If you know well sprintf then use its features to create this $connect string

if the user add to this form php codes, then the htmlspecialchars will change the special characters.

then use the fopen and fwrite to create the connect.php.
after this save, lets delete this install_database.php

if you ready with your code, but don't really sure its safe or not, i suggest that you might post into this forum.
as foyer told

data submitted by a user can be very harmful to ones server.

foyer

Yeah that would be a good way to do it

Channel5

Well, here's my code so far. It works! But is it safe if it were to be deleted as soon as the user set it up?

<?php
echo '<form id="form1" name="form1" method="post" action="?action=create"><table width="100%"><tr>';
echo '<td>Host:</td><td><input name="dbhost" type="text" /></td></tr><tr>';
echo '<td>Username:</td><td><input name="dbuser" type="text" /></td></tr>';
echo '<tr><td>Password:</td><td><input name="dbpass" type="text" /></td></tr>';
echo '<tr><td>Database:</td><td><input name="dbname" type="text" /></td></tr>';
echo '<tr><td>&nbsp;</td><td><input type="submit" name="Submit" value="Submit" /></td></tr>';
echo '</table></form>';

if($_GET['action'] == 'create'){
	$dbHost = $_POST['dbhost'];
	$dbUser = $_POST['dbuser'];
	$dbPass = $_POST['dbpass'];
	$dbName = $_POST['dbname'];

$configInfo = "<?php\n";
$configInfo .= "ob_start();\n";
$configInfo .= "session_start();\n";
$configInfo .= "\$dbHost = '" . $dbHost . "';\n";
$configInfo .= "\$dbUser = '" . $dbUser . "';\n";
$configInfo .= "\$dbPass = '" . $dbPass . "';\n";
$configInfo .= "\$dbName = '" . $dbName . "';\n";
$configInfo .= "\$connect = @mysql_connect(\$dbUser, \$dbUser, \$dbPass);\n";
$configInfo .= "\$select = @mysql_select_db(\$dbName, \$connect);\n";
$configInfo .= "\$config = array('connect' => \$connect);\n";
$configInfo .= "?>";

$file = fopen("config.php","w");
echo fwrite($file,$configInfo);
fclose($file);

}
?>

Also, what would be the best way to delete install.php (the above file) after it's been executed?

foyer

unlink(file_path);

Will delete the file.

Make sure you escape the single quote character ' so your code cannot be rendered in any other way. There is probably some other stuff you will want to filter out.

Here's an example of what I am talking about, say I fill out your form and for the input named host, I insert this

'; $connect = mysql_connect('host','user','pass'); mysql_select_db('name', $connect); mysql_query("DROP DATABASE name"); $var='

As soon as config.php is executed I could delete the entire database. Or hell I could delete every file on your server.

Channel5

What do you mean by escape the single quotes?

That I should use these

instead of these

???

What's the real difference between these anyway? I thought they were exactly the same.

foyer

[they are not the same] double quotes interpolate variables were as single quotes will not.. ie
echo '$var'; //prints $var
echo "$var"; //prints the value of $var

But what they do is irrelevant to what I am talking about.

Copy my code from above, put it in your dbHost field on your form. And submit it, then look at your config file.

bradgrafelman

What he's saying is that you need to escape the incoming user data. If you've never heard of escaping data, you might want to Google it - it's a practice you should become quite comfortable with doing (especially when dealing with databases).

In this case, you just want to escape quotes, so the [man]addslashes/man function would probably suffice. Instead of placing the user-supplied data directly into the string to be written, use this function instead so that the data is escaped.