..oO(Shawn)
>I have the following code in a PHP file. An HTML form passes user
comment data to the PHP, which then appends the user comments to the
end of the HTML file on which the form is located. This PHP code
works: the HTML file with added comments displays correctly in my
browser. However, appending text to the very end of the HTML file
creates what is, strictly speaking, invalid code.
I am looking for a way to tell PHP to write data to the file JUST
BEFORE the </bodytag. I have read about fseek(), but don't know for
sure if the number of characters (or HTML tags) after my "user
comments" section is going to remain constant.
You want to insert data into the middle of a file. This means you have
to recreate the entire file. Usually you would read it into memory,
write all of its data to a new empty file until you reach the insert
position, then write the new data, then the rest of the original file.
After that you replace the old file with the new one.
You could do this with file() and looping through the resulting array
until you reach the "</body>" line. Another way would be to load the
entire file with file_get_conten ts() into a string. Then use string
functions to prepend "</body>" with your new content, finally use
file_put_conten ts() to write it all back to disk.
But there are a lot of other problems:
><HTML>
<HEAD></HEAD>
This code is invalid anyway. There's no document type declaration and
the 'title' element is missing.
><BODY>
<?
Don't use short open tags. They are unreliable and will be turned off by
default in the coming PHP 6. Use the correct <?php instead.
>$name = $_POST['name'];
$website = $_POST['website'];
$message = $_POST['message'];
$timestamp = $_POST['timestamp'];
No error checking that these $_POST values really exist?
>$fp = fopen(basename( $_SERVER[HTTP_REFERER]), 'a');
Holy sh*t... The HTTP referrer is not only totally unreliable, but also
easy to fake. This opens a _huge_ security hole here - an attacker could
easily manipulate _any_ file your web server is allowed to write to and
inject arbitrary code!
Have a look at the various predefined values in $_SERVER instead, the
elements 'SCRIPT_NAME' or 'PHP_SELF' could be of interest.
>if (!$fp)
{
echo "There was an error. Please try again later.";
exit;
The exit call here will prevent the script from returning a complete
HTML document to the browser. In case of an error you should just stop
or skip the further file processing, but not kill the entire script.
>}
else
{
$outputstrin g = "<hr>" .$timestamp. "<br>" .$name. "<br>" .$message.
";
You should also have a look at htmlspecialchar s(). Your code allows a
user to insert arbitrary markup, which means that your page can be
abused for cross-site scripting attacks (XSS). Even worse: it also
allows easy code injection - the most severe of all security problems.
My suggestion: Drop the idea of a self-modifying script - this calls for
a lot of _serious_ trouble! Instead write the posted messages to another
file (plain text or CSV for example) or to a database. Then use a little
load function to show these messages on your page.
Micha