PHP bufferring output help. Generating a pre-named html page

Question

I am trying to use the php output buffering function to create a new html page after a user form submit.

I researched this here, and found help with this answer on another thread.... https://stackoverflow.com/a/3775302/7637995.

That advice did work for me to produce an html page to my server.

However, I need to take it a step further and so far, haven't found a way to do that.

As I stated... with the code provided in that answer, and embedded in my PHP page... I was able to generate a new html page, with all of my form data intact on my server, by setting the 'name' of the html page to "Mydocument" like so...

    <?php ob_start(); ?> 
    /* My 'Form Page' Content Here */ 
    <?php echo ''; 
    file_put_contents('Mydocument.html', ob_get_contents()); 
    ?>.

However... instead of having to name a 'one-off' destination html page in advance, by hard-coding it in each time... I would like to know if it's possible to have the form itself, automatically generate a name for a new destination html page each time the form is submitted. Perhaps based on the input data from one of the text form fields.

In the form, for example... I have a field named 'banner'. The text entered into that field eventually becomes the headline for an article on the html page.

So... I was wondering if the data in that 'banner' field, could also be used to automatically generate a 'name' for the destination html page.

Therefore, instead of me having to code a 'name' for the destination html page, such as; 'Mydocument.html' (or whatever)... the form would automatically create a name for that html page itself on submit.

For example... if my headline (entered into the 'banner' field of the form) is

"Giant Asteroid To Hit Earth"

By the time the PHP code generates, it may look something like this....

    <?php ob_start(); ?> 
    /* My 'Form Page' Content Here */ 
    <?php echo '';      
      file_put_contents('Giant%Asteroid%To%Hit%Earth.html'
      , ob_get_contents()); 
    ?>.

If anyone can help me with this... it would be much appreciated.

Just have the "form page" set a PHP variable, and use that as the first argument to `file_put_contents`... but be advised to sanitize your input! Otherwise someone with malicious intent can craft a headline to overwrite arbitrary files on your server, and likely run arbitrary code. — Siguza, Feb 28 '17 at 22:58
First a direct answer to that question: certainly such thing is possible. You just have to use a string variable holding the name as value instead of the hard coded name you currently use. How you construct that name value and based on what data is up to you. You just have to make sure to properly escape any user input (client side data) to prevent security implications for funny names. — arkascha, Feb 28 '17 at 22:58
However this whole question reads as if you do not really understand how web pages are generated in a dynamic manner, for example by means of php. WHy do you want to create a html file? What for? Why not keep the data inside a database and generate the html document on the fly when it is requested? That saves you all the hassle of writing files, cleaning them up and preventing name collisions... — arkascha, Feb 28 '17 at 23:00
Thanks guys. arkascha.. you are correct. I realize I am most likely going about this in the wrong way. A database which I can call is ultimately the way I will need to go. But as you may have noticed, I am not anywhere near as versed as i need to be with coding yet. I'm surprised I have gotten this far. Thank you for your reply and input. For the time being, until I learn more about databases, etc... I am going to start by trying the snippet provided by symcbean below. I'll give some feedback shortly. Thanks again. — Jamie Sexton, Feb 28 '17 at 23:07

symcbean · Accepted Answer · 2017-02-28T23:09:16.783

0

<?php 
  ob_start(); 
  $headline=str_replace('.', '_', basename($_REQUEST['banner']));
?> 
/* My 'Form Page' Content Here */ 
<?php echo '';      
  file_put_contents($headline . '.html'
  , ob_get_contents());

A couple of things you should note here: the basename function fixes a whole lot of security issues. And I've removed the redundant closing '?>'

edited Feb 28 '17 at 23:09

answered Feb 28 '17 at 22:58

symcbean

47,736
6
59
94

1

Might I suggest something like `preg_replace('#[^_0-9a-zA-Z]#', '_', $_REQUEST['banner']);` in place of `basename()`? `basename()` does not take care of backslashes, which could be abused on Windows to write to any path, nor does it take care of null bytes, which could be used in earlier versions of PHP to drop anything that is appended to a string, so that you could end up with, e.g. a `.php\x00.html` suffix, which would be interpreted as just `.php` and allow for arbitrary PHP code execution. – Siguza Feb 28 '17 at 23:03
@arkascha - no. You've not understood the problem. Although, to be fair, you have reminded me that even basename() does not fix all the problems (realpath doesn't fix any of them). – symcbean Feb 28 '17 at 23:07
@arkascha I don't see how that would be useful. Security-wise, `basename()` does not allow you to write to an arbitrary location, whereas `realpath()` does. And feature-wise, `realpath()` will return an empty string on a file that is yet to be created. – Siguza Feb 28 '17 at 23:07
1

@Siguza: I would hope that nobody is still running such an old version of php, but even current versions of php, depending on the webserver config, can be tricked by someone controlling even part of a filename: http://symcbean.blogspot.co.uk/2016/06/local-file-inclusion-why-everything-you.html – symcbean Feb 28 '17 at 23:11
OK, so if I am to attempt Siguza's recommendation, the full code would be: /* My 'Form Page' Content Here */ – Jamie Sexton Feb 28 '17 at 23:24
@JamieSexton `$headline=preg_replace...` – Siguza Feb 28 '17 at 23:28
Thank you. I will attempt shortly and give feedback. – Jamie Sexton Feb 28 '17 at 23:30
Hey guys! So far so good! Thank you. Another question..... While the html file generates and saves great to my root directory. However, in the instance where I attempt to create a special directory [folder] for these html pages to reside... it doesn't save. How may I direct the destination of these generated html pages to live in a folder named 'articles'? – Jamie Sexton Mar 01 '17 at 02:36
1

Post a new question showing the code you are running. – symcbean Mar 01 '17 at 10:00

PHP bufferring output help. Generating a pre-named html page

1 Answers1