save as php file with fwrite

[mraza]

Hi, I am trying to save some content with form which has php code in it.

 

i.e $submittedphpcode

<?php

echo 'test';

?>

 

my code to save that $submittedphpcode

$file = "file.php";
$ourFileHandle = fopen($filefile, 'w+') or die("can't open file");
fwrite($ourFileHandle, "$submittedphpcode");
fclose($ourFileHandle);

 

and i am getting this file created with slashes

<?php\r\n\r\necho \'test\';\r\n\r\n?>

i tried with stripslashes but it just remove \ not r n , i need to keep spaces etc.

 

any help on how to save it as php file properly?

 

Thanks

[MrXHellboy]

May i ask you want you want exactly ?

 

[devWhiz]

$filefile?

[mraza]

May i ask you want you want exactly ?

i have a html form need to save this code as php in a new file.php on submit

//i have this variable coming from form:
$submittedphpcode = $_POST['submittedphpcode'];
//which looks something like this
$submittedphpcode = "
<?php

echo 'test';

?>";

// i need to save that as is in a new file.php

means i need to save all above code as is in $submittedphpcode including <?php etc in file.php

[mraza]

$filefile?

 

just a typo while typing here, code is working but it is adding slashes to php code in file.php

[DavidAM]

Are you running in a Windows environment?

 

From the php manual for fwrite()

    Note:

 

    On systems which differentiate between binary and text files (i.e. Windows) the file must be opened with 'b' included in fopen() mode parameter.

 

Personally, I had thought this only applied to the CR-LF line endings, but you might try adding the "b" flag to the fopen

$ourFileHandle = fopen($filefile, 'w+b');

 

[mraza]

Are you running in a Windows environment?

 

From the php manual for fwrite()

    Note:

 

    On systems which differentiate between binary and text files (i.e. Windows) the file must be opened with 'b' included in fopen() mode parameter.

 

Personally, I had thought this only applied to the CR-LF line endings, but you might try adding the "b" flag to the fopen

$ourFileHandle = fopen($filefile, 'w+b');

 

Thanks for reply sir, I tried on linux and windows both have same results, I tried with +b and +t but again same results

 

 

[DavidAM]

So, this data is coming from a FORM? Does your site have magic_quotes_gpc turned on? If so, then you need to stripslashes() when you retrieve the data from $_POST (or $_GET). You said you tried stripslashes() so I did not mention it before.

 

Try echoing out the value at various places to see where the slashes are coming from. If magic_quotes are on and you may be double escaping the input somewhere (you're not using addslashes() somewhere, right?). Can you post all of the code from where you capture the $_POST through the fwrite()?

 

[mraza]

Hi thanks again , magic_quotes_gpc is turnned off and i tried with stripslashes too.

Here is my html form to submit.

<form action="" method="POST">
<table>
	<tr>
		<td>Code:</td>
		<td><textarea rows="10" cols="50" name="code"></textarea></td>
	</tr>
	<tr>
		<td></td>
		<td><input type="submit" value="Save" /></td>
	</tr>
</table>
</form>

 

And here is process after submitting

/*
$_POST['code'] contains this value

<?php

echo 'test';

?>";

including php opening and closing tags...


*/
$code = $_POST['code'];

// i also tried with w+b and w+t but same
$file = "file.php";
$ourFileHandle = fopen($file, 'w+') or die("can't open file");
fwrite($ourFileHandle,$code);
fclose($ourFileHandle);
}

 

and here is file.php created by above

<?php\r\n\r\necho \'test\';\r\n\r\n?>

 

 

[DavidAM]

I don't want to insult you, but sometimes I ask very basic questions just to make sure.

 

* How are you viewing the file and seeing the slashes? Is it possible that your viewer is adding them? Probably not, but let's just eliminate the possibility.

 

* That's all of the code? You are not using mysql_real_escape_string() somewhere, right?

 

* Try a liberal case of var_dump() to see where the data is getting changed. I usually wrap the var_dump() display in PRE tags just so it is clear in the browser. Try this:

 

echo '<PRE>'; var_dump($_POST); echo '</PRE>'; // ADD THIS LINE
$code = $_POST['code'];
echo '<PRE>'; var_dump($code); echo '</PRE>'; // ADD THIS LINE

// i also tried with w+b and w+t but same
$file = "file.php";
$ourFileHandle = fopen($file, 'w+') or die("can't open file");
fwrite($ourFileHandle,$code);
echo '<PRE>'; var_dump($code); echo '</PRE>'; // ADD THIS LINE (JUST TO DOUBLE CHECK)
fclose($ourFileHandle);
}

 

You might also look at the "View Source" of the browser to see if there is anything special in the HTML.

 

** Post the dump results and let's see if we can nail this one down.

 

* What version of PHP are you running?

[mraza]

oh i apologize sir, actually there was a function in my script on top of script included by other file and after your advice to check for my_real_escape_string, i found out that was enable on that page. thank you very much for your time and help and i do understand sometime a basic stuff can be buggy .

 

Thanks again for your time an support, God bless you..

 

 

[DavidAM]

No apology is necessary, I'm glad to help. I know to check for the basic stuff because it has bitten me before as well.

 

Just a note about mysql_real_escape_string(). It is not intended to be a general escaping mechanism. It should be used immediately before going to the database. Carry the data values in the code "raw" and escape them on the way out. Otherwise, you run into problems trying to send it to HTML or MYSQL or anywhere else.

 

$input = $_POST['txtInput']; 
// Of course, if magic_quotes_gpc() is on, we need stripslashes()
if (get_magic_quotes_gpc()) $input = stripslashes($input);

// USE $input FOR WHATEVER

// NOW PREPARE $input FOR THE DATABASE
$sql = "INSERT INTO myTable (UserText) VALUES ('" . mysql_real_escape_string($input) . "')";

 

[mraza]

ok Thanks again for that tip

all solved