BelowZero Posted April 3, 2012 Share Posted April 3, 2012 I posed this question earlier and thought it was fixed, but it's not so I'm posting it again. I'm creating a file to hold mysql login creds based on the users input. They enter their username/password and the program creates a file to hold the creds for future logins. It all appears to work fine for awhile. The file is storing the correct information and the user can login with no problems. The problem is that once a user logs out, the file is somehow getting overwritten so that the creds are blank. The next time the user tries to login, they can't connect since their creds are gone. I'm using file_put_contents to write to the file initially and the user is then redirected to a page with no processing. From there they can link to a page where connection is made to the database. None of the variables ever get used again anywhere in the program aside for connection to the database. Here's the code to write to the file... //--Variables from Setup Page--\\ $server = $_POST["server"]; $username = $_POST["username"]; $password = $_POST["password"]; //--Creates a file to store Login Information--\\ $data = <<<DATA <?php \$server = "$server"; \$username = "$username"; \$password = "$password"; ?> DATA; file_put_contents("databasedata.php", $data); Can anyone give me an idea why "databasedata.php" would get overwritten upon logout? Or point me in some direction to look for the problem? Thanks! Quote Link to comment Share on other sites More sharing options...
NLT Posted April 3, 2012 Share Posted April 3, 2012 Are you updating anything upon logout? Can we see your logout code? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted April 3, 2012 Share Posted April 3, 2012 Your form processing code isn't checking if a form was submitted, so the code on that page will run EVERY TIME the page gets requested (if the code is on a public web server, a search engine spider can find it and requested it.) You should also be validating the data from the form so that each value only contains an expected value (and not something like php code.) By validating that there is data, and not empty strings, you would also prevent overwriting the configuration file with empty values. Also, after your installation routine runs, it is customary to delete the installation script or have the script check if it has already completed so that a hacker cannot come along and re-run the install and mess up the installation. Quote Link to comment Share on other sites More sharing options...
BelowZero Posted April 3, 2012 Author Share Posted April 3, 2012 Actually, there is no log out procedure. It's a web-based program where the user can login and make updates to their database. They will need to update several times a day so I didn't want the session to expire thus making them log back in all the time. In testing, it all works fine until I close my browser or shut the computer down. The next time I try to connect to the database, the creds are gone. Do you think I need to create a specific log out procedure? Quote Link to comment Share on other sites More sharing options...
BelowZero Posted April 3, 2012 Author Share Posted April 3, 2012 Thanks PFMaBiSmAd. I will start validating the form first and see if that helps. I'll also need the program to check if the setup page has already been submitted. Thanks for your thoughts. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.