Jump to content

Recommended Posts

I posed this question earlier and thought it was fixed, but it's not so I'm posting it again.

 

I'm creating a file to hold mysql login creds based on the users input. They enter their username/password and the program creates a file to hold the creds for future logins.

 

It all appears to work fine for awhile. The file is storing the correct information and the user can login with no problems.

 

The problem is that once a user logs out, the file is somehow getting overwritten so that the creds are blank. The next time the user tries to login, they can't connect since their creds are gone.

 

I'm using file_put_contents to write to the file initially and the user is then redirected to a page with no processing. From there they can link to a page where connection is made to the database. None of the variables ever get used again anywhere in the program aside for connection to the database.

 

Here's the code to write to the file...

//--Variables from Setup Page--\\
$server = $_POST["server"];
$username = $_POST["username"];
$password = $_POST["password"];

//--Creates a file to store Login Information--\\
$data = <<<DATA
<?php
\$server = "$server";
\$username = "$username";
\$password = "$password";
?>
DATA;

file_put_contents("databasedata.php", $data);

Can anyone give me an idea why "databasedata.php" would get overwritten upon logout? Or point me in some direction to look for the problem? Thanks!

Link to comment
https://forums.phpfreaks.com/topic/260273-why-is-this-file-getting-overwritten/
Share on other sites

Your form processing code isn't checking if a form was submitted, so the code on that page will run EVERY TIME the page gets requested (if the code is on a public web server, a search engine spider can find it and requested it.) You should also be validating the data from the form so that each value only contains an expected value (and not something like php code.) By validating that there is data, and not empty strings, you would also prevent overwriting the configuration file with empty values.

 

Also, after your installation routine runs, it is customary to delete the installation script or have the script check if it has already completed so that a hacker cannot come along and re-run the install and mess up the installation.

Actually, there is no log out procedure.

It's a web-based program where the user can login and make updates to their database. They will need to update several times a day so I didn't want the session to expire thus making them log back in all the time.

In testing, it all works fine until I close my browser or shut the computer down. The next time I try to connect to the database, the creds are gone.

Do you think I need to create a specific log out procedure?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.