Writing form output directly to CSV file, bad practice?

[garek007]

Hi,

 

I need to create a landing page with a form. That form needs to be recorded somewhere instead of sent to email. I know I can write it to a SQL database, and then to an excel file. But I only need a temporary solution so I figured I'd just go straight to CSV. 

 

Is this bad practice? What potential problems might I encounter other than security issues?

[Jacques1]

It's not necessarily bad practice, but doing it correctly is harder than you may think.

 

How do you deal with multiple submissions from the same user? If you create a new CSV each time, how do you ensure unique filenames? If you overwrite the previous CSV, how do you make sure that simultaneous submissions don't trample each other? Note that file_put_contents() and fwrite() are not atomic, so you can end up with a mixture of both submissions.

 

A correct implementation will be much more complex than a simple SQL query. And an incorrect implementation will be much less reliable. So personally, I'd use the database.

[garek007]

I was just going to open the file and add to the end of it... not overwrite it each time. That won't work? I hadn't thought about simultaneous submissions though... Our audience will be small, but I suppose it could happen...

[Jacques1]

If you want to append data to the same file, you need to at least use an exclusive lock to coordinate write attempts:

<?php



$user_csv_path = '/path/to/csv';
$user_csv = fopen($user_csv_path, 'a');

if ($user_csv)
{
	/*
	 * Request an exclusive lock on the file. If the file is already locked,
	 * PHP will wait. You may want to cancel the operation instead and ask the
	 * user to retry. In that case, set the LOCK_NB flag. Note, however, that it
	 * doesn't work on Windows.
	 */
	if (flock($user_csv, LOCK_EX))
	{
		$data = array('foo', 'bar');

		// write to file
		fputcsv($user_csv, $data);

		flock($user_csv, LOCK_UN);
	}
	else
	{
		trigger_error('Failed to obtain exclusive lock on file ' . $user_csv_path);
	}

	fclose($user_csv);
}
else
{
	trigger_error('Failed to open or create file ' . $user_csv_path);
}

[garek007]

hey thanks for that. what do you mean doesn't work on windows? just the LOCK_NB flag doesn't work on windows? Or the whole thing?

 

If I do it with mysql instead, do I still have to lock the database while it's writing? or is it a lot more straightforward? By that I mean, will SQL police itself for simultaneous attempts to write?

[Jacques1]

hey thanks for that. what do you mean doesn't work on windows? just the LOCK_NB flag doesn't work on windows? Or the whole thing?

 

Only the flag.

 

 

 

If I do it with mysql instead, do I still have to lock the database while it's writing? or is it a lot more straightforward? By that I mean, will SQL police itself for simultaneous attempts to write?

 

MySQL takes care of all the low-level details. All you need to do is insert the row.

[garek007]

sweet thanks. Maybe I'll try it. I did a test with a coworker where we both hit submit at the same time and it still wrote. Now I'm sure it's more complicated that that, like we probably were milliseconds apart, but I also added a safety so that it also emails me the form data. This way, I have a backup in case it doesn't write. Maybe by the end of the week I can get the mechanism in place to write to the DB. It doesn't look too hard and I think I saw some code earlier when I asked THE GOOGLE.