I have the following script which is working well at taking the data from my HTML form and writing it to a .conf file.
<?php
$path = '/usr/local/flowsim/data/phptest.conf';
if (isset($_POST['CollectorIP']) && isset($_POST['CollectorPort']) && isset($_POST['NetflowVersion'])) {
$fh = fopen($path,"a ");
$string = 'collector-ip='.$_POST['CollectorIP']. "\n". 'collector-port='.$_POST['CollectorPort']. "\n". 'engine='.$_POST['NetflowVersion'];
fwrite($fh,$string); // Write information to the file
fclose($fh); // Close the file
}
?>
However I am needing this script to "auto-name" the .conf files differently using the variables from the HTML form. For example, at the moment the script is creating the file phptest.conf and writing the below info (which will be different each time) which was inputted via the HTML form:
collector-ip=10.0.0.0
collector-port=9000
engine=Netflow Version 10 (IPFIX)
As these three inputs will be unique every time the script is run I would like to use them to name the new file each time the form is submitted.
For example if the collector-ip was 5.5.5.5, collector-port 9996 and engine Netflow Version 10 (IPFIX) the filename would be 5.5.5.5:9996:Netflow Version 10 (IPFIX).conf.
I am quite new to PHP but I believe this could be achieved by using the (isset($_POST['CollectorIP']), ($_POST['CollectorPort']) and isset($_POST['NetflowVersion']) variables in the file path which would complete from the inputted data and name the files as expected each time the form is submitted.
Is this correct or do I have it wrong? Would the following script work or is there a better way to do this?
<?php
$path = '/usr/local/flowsim/data/(isset($_POST['CollectorIP']):isset($_POST['CollectorPort']):isset($_POST['NetflowVersion']).conf';
if (isset($_POST['CollectorIP']) && isset($_POST['CollectorPort']) && isset($_POST['NetflowVersion'])) {
$fh = fopen($path,"a ");
$string = 'collector-ip='.$_POST['CollectorIP']. "\n". 'collector-port='.$_POST['CollectorPort']. "\n". 'engine='.$_POST['NetflowVersion'];
fwrite($fh,$string); // Write information to the file
fclose($fh); // Close the file
}
?>
CodePudding user response:
Before showing the code I think there are a couple of things worth pointing out:
it looks like you're receiving this data via a post on a web form. Therefore, your intention is to allow users to send data that will be written to a file on your server. This is a big security risk, so you'll want to be 100% certain that whatever they're entering is trustworthy.
Assuming the above is correct and this script will live on a web server, most of the time the script will not have write access to create a file / write to a file. So you'll have to modify permissions etc, which again has security concerns that you'll have to be aware of
Anyway, as far as the script itself, the line where you're using isset won't work as it's written. I would separate the test out and do it like so:
if ( isset( $_POST['CollectorIP'] ) && isset($_POST['CollectorPort']) && isset($_POST['NetflowVersion']) ) {
// ok let's try to create the file
$path = '/usr/local/flowsim/data/' . trim($_POST['CollectorIP']) . ':' . trim($_POST['CollectorPort']) . ':' . trim($_POST['NetflowVersion']) . '.conf';
if ( $fh = fopen($path,"a ") ) {
$string = 'collector-ip='.$_POST['CollectorIP']. "\n". 'collector-port='.$_POST['CollectorPort']. "\n". 'engine='.$_POST['NetflowVersion'];
if ( fwrite($fh,$string) ) {
// yay
} else {
// do some sort of error handling because the file couldn't be written to
}
fclose($fh); // Close the file
} else {
// do some sort of error handling because the file couldn't be opened
}
} else {
// do some sort of error handling because they didn't provide the necessary data
}
CodePudding user response:
Expressions aren't evaluated inside string literals. You need to use concatenation.
$path = '/usr/local/flowsim/data/' . (isset($_POST['CollectorIP']):isset($_POST['CollectorPort']):isset($_POST['NetflowVersion']) . '.conf';
You should be very careful when using POST data in filenames, since the user could put ../../.. in the value to access outside the directory you want to write to. Add some data validation, or use basename() to discard the directory part.