Prevent PHP File Showing

Question

The following code receives strings from an HTML page and writes the strings to a text file. However in doing so it opens up a page in my browser with the address of the php file.

How can I stay with my html page and prevent this other page from showing.

<?php
    $name = $_POST['txtFile'];
    $tbx = $_POST['tbx'];
    $chk = $_POST['chk'];
    $txa = $_POST['txa'];

    $file_handle = fopen($name, "w");

    fwrite($file_handle, $tbx . $chk. $txa);
    fclose($file_handle);
?>

The HTML form posting to this page is:

<form action="troncon.ca/Test/Test1.php"; method="POST" enctype="multipart/form-data" id="dataUpload">
  <input type="hidden" name="txtFile" value="">
  <input type="hidden" name="tbx" value="">
  <input type="hidden" name="chk" value="">
  <input type="hidden" name="txa" value="">
</form>

This allows your user to write any file on your system. Probably not what you want. — knittl, Aug 28 '13 at 16:44

Quentin · Answer 1 · 2013-08-28T17:20:19.113

2

Send a 204 No Content response using the http_response_code function.

<?php
http_response_code(204);
exit;

or in older versions of PHP

<?php
header('HTTP/1.1 204 No Content', true, 204);
exit;

204 No Content

The server has fulfilled the request but does not need to return an entity-body, and might want to return updated metainformation. The response MAY include new or updated metainformation in the form of entity-headers, which if present SHOULD be associated with the requested variant.

If the client is a user agent, it SHOULD NOT change its document view from that which caused the request to be sent. This response is primarily intended to allow input for actions to take place without causing a change to the user agent's active document view, although any new or updated metainformation SHOULD be applied to the document currently in the user agent's active view.

The 204 response MUST NOT include a message-body, and thus is always terminated by the first empty line after the header fields.

edited Aug 28 '13 at 17:20

answered Aug 28 '13 at 16:43

Quentin

914,110
126
1,211
1,335

I've tried adding your suggested code but it has no effect. – user984749 Aug 28 '13 at 17:06
I assume I just include it at the end of my existing php code? – user984749 Aug 28 '13 at 17:08
Assuming that your existing PHP code doesn't output any content - yes. – Quentin Aug 28 '13 at 17:18
OK. I've got it to work. I used: header("HTTP/1.0 204 No Content"); – user984749 Aug 28 '13 at 17:21

score 0 · Answer 2 · answered Aug 28 '13 at 16:43

You'd need to use an AJAX request to submit the data in the background. If your form is submitting directly to this script, then the browser's address WILL change to the script's.

On another note, do NOT use this script. You are directly allowing a user to specify a filename (including path data) AND its contents. A malicious user can use this code to COMPLETELY subvert and take over your server. It is a HIDEOUS security hole.

score 0 · Answer 3 · answered Aug 28 '13 at 16:46

0

Just not close php tah in end of file - interpreter will understand that this file should not have any output:

<?php
$name = $_POST['txtFile'];
$tbx = $_POST['tbx'];
$chk = $_POST['chk'];
$txa = $_POST['txa'];

$file_handle = fopen($name, "w");

fwrite($file_handle, $tbx . $chk. $txa);
fclose($file_handle);

Thats all.

answered Aug 28 '13 at 16:46

msangel

9,895
3
50
69

This won't work. PHP will deliver a 200 OK text/html response with a zero byte body if you do this (and the browser will render a blank page). – Quentin Aug 28 '13 at 16:48

Prevent PHP File Showing

3 Answers3

204 No Content