#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2009
    Posts
    88
    Rep Power
    6

    Produce html page


    At the moment I have a "back end" to my web site where a few authorised users are allowed to upload previously written html files to extend the web site (e.g. an information sheet that is updated weekly).

    An alternative would be to have a Form where the authorised users could write their weekly message and post it onto the web site. I know how to do this to write the information to a file. But how can I publish this information to an html page? Can someone please help me and point me to some information/tutorial that I can read?

    Sorry, I want to write this in php so that I can update various files as it is posted.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2007
    Posts
    113
    Rep Power
    0
    fopen If I understand you correctly, you want to display the contents of a file on a webpage? Is it just a text file you want to use? If so fopen and fread should do what you're looking for.
    http://php.net/manual/en/function.fopen.php
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    you should not allow your users to write their own HTML or upload files somewhere. This is a huge security risk and regularly leads to websites getting hacked (a recent example is Ubuntu Forums).

    The users should only be able to submit raw text. You then store this text in a database. People today often use SQL database systems like PostgreSQL or MySQL. To show the text, you retrieve it from the database, escape it (never forget this part!) and echo it into your own HTML.

    You don't need a tutorial for that. And given the extremely poor quality of most PHP tutorials, you probably shouldn't even look for one. Instead, learn the basics of PHP:

    How to (properly) access a MySQL database with PHP
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    58
    Rep Power
    2
    What Jacques1 said.

    P.S. There are existing CMSes that do this already (e.g., Drupal or WordPress), so you don't have to write this from scratch.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2009
    Posts
    88
    Rep Power
    6
    Perhaps I should explain. The web site is password protected for members of a Club. So it is not possible to hack into it. The Committee at the moment use a word processor (I know that it is not the best approach but you have to understand that these are "luddites") to produce an html document. They then have access to a Control page where they can upload the html page onto the web site. So there is no security risk.

    I'm looking for an easier approach so thought that if the Committee simply wrote a message in a Form it would be great if they could then upload this as an html page. I said about using php to do this but it could be javascript and I can pass the information to php (to update tables with dates of messages). I know that I could upload the information in the Form into a table in the database but I'm trying to avoid this.

    Hope that this is clear.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    58
    Rep Power
    2
    You may think I'm being unhelpful, but this isn't just about security. It's also about best practice and what's most efficient.

    CMSes like WordPress and Drupal came about for a reason. It's a lot easier to manage dynamic content through a database than through another way.

    What are your reasons for not just setting up a MySQL database with a table full of HTML pages with dates and authors attached?
  12. #7
  13. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by rps
    The web site is password protected for members of a Club. So it is not possible to hack into it.
    Whenever I hear this sentence, I know that the security is even worse than I thought. Because people who actually know a bit about security simply wouldn't make a statement like this.



    Originally Posted by rps
    So there is no security risk.
    ... at least that's what your Committee has decided, I guess.

    Now back to reality:

    • You're using passwords.
    • You're dealing with "luddites". This means the password is "carol1975" and is written on a post-it note stuck to the monitor.
    • The passwords are stored on the server. Let me guess: as plaintext?
    • Whoever got the password can happily upload unfiltered HTML files to the server.

    Yes, you do have a security problem. You can either acknowledge that and do something about it. Or you can hope that your "unhackable server" will magically protect everybody.

    In my experience, the latter doesn't work too well.



    Originally Posted by rps
    I know that I could upload the information in the Form into a table in the database but I'm trying to avoid this.
    And for what reason exactly?

    What I can tell you is that your current setup is a security nightmare. Raw HTML files lying around on the server (hopefully not in the document root) is pretty much the last thing you want. If somebody manages to upload just a single HTML file with JavaScript in it, then your "unhackable security" is gone.

    By the way, this is exactly what happened at Ubuntu.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2009
    Posts
    88
    Rep Power
    6
    What are your reasons for not just setting up a MySQL database with a table full of HTML pages with dates and authors attached?
    That is exactly what I have currently. So the "committee" upload previously prepared pages written in html and this is "added" to the web site for authorised visitors to view and there is a table (record) of the uploaded pages.

    I accept the points about security and no, I have not encrypted the passwords. But this is a small private Club of 200 members.

    I am trying to make life simple for the "committee". Asking them to write html is proving difficult.

    Maybe the only solution is to save the information to a table in MySQL (from the Form) and then use this as the data source rather than an html page. I already do this for one other feature in the web site. I just thought that posting a message could be made simpler.
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2012
    Posts
    194
    Rep Power
    77
    Any chance you could tell me the url to your unsecured site so I could do some "pen testing" to show you why security is important?

    In all seriousness if you let me do this, you would end up with a defaced homepage that says the website was hacked, a back door, and me sending you a pm with all of your SQL data from the database based on what I have read about your security so far
    Last edited by jack13580; November 18th, 2013 at 06:36 PM.
  18. #10
  19. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2013
    Posts
    58
    Rep Power
    2
    Originally Posted by rps
    Maybe the only solution is to save the information to a table in MySQL (from the Form) and then use this as the data source rather than an html page. I already do this for one other feature in the web site. I just thought that posting a message could be made simpler.
    I don't know that this is the only solution, but it's certainly the best. It also gives you control over how the HTML pages look. Similar to WordPress, allow people to give the page a title and to edit the content, but then when you pull that stuff out of the database, you render it with some includes, e.g.,
    PHP Code:
    include('includes/header.php'); 
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Novice (500 - 999 posts)

    Join Date
    Oct 2009
    Location
    Nebraska, USA
    Posts
    876
    Rep Power
    276
    Originally Posted by rps
    The Committee at the moment use a word processor (I know that it is not the best approach but you have to understand that these are "luddites") to produce an html document.
    I know this isn't the top priority, but, I feel it needs to be added:

    Word Processor programs are not designed to output "proper" html markup.
    So, even if the rest of the scheme worked, there is no guarantee that the "created" html documents would even display properly (without first stripping out the unnecessary word processor junk code).
  22. #12
  23. No Profile Picture
    Contributing User
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Dec 2004
    Posts
    3,027
    Rep Power
    377
    you could use tinyMCE that lets users write proper document which gets converted into HTML.

    your committee might not be very happy when their site is hacked
  24. #13
  25. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2009
    Posts
    88
    Rep Power
    6
    If I was designing a banking system or managing a manned space mission then security would be a big issue. But I am not. This is a small private club and the only reason for security is to ensure that members email addresses and telephone numbers remain private. It is safer stored on an on-line MySQL database (with password) with the only access through a password protected web site than on someone's private laptop in their home.

    All I want to do is to post messages now and again on the web site. Currently I have a template written in MS Word that the committee can modify, save on their computer and upload through the Control page. I know that Word is not the most efficient for html but it is mush easier than teaching the committee how to use an html editor.

    And they can easily format the message as the template is written using tables. This is not easily possible using Forms but it occurred to me that I would forgo this limitation in the interests of making life easier for Committee members.

    So, I have concluded that I either leave things as they are or use Forms to store the message in a table.

    Any chance you could tell me the url to your unsecured site so I could do some "pen testing" to show you why security is important?
    Sorry jack13580, I could give you the URL and I don't think that you would be able to "hack into" the web site but I'm not going to take that sort of risk. For what we need the security is absolutely fine (even if you happen to find the URL of an "internal" page it will throw you out of the web site as the code on each page does a number of checks to make sure that you haven't "jumped in"; just a bit of added security).

    Thanks everyone though for your input.
  26. #14
  27. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    *sigh*

    Obviously, some people only learn through pain. So go ahead, touch the hotplate. Burn your fingers.

    The problem is that your learning process affects many, many other people, starting with the 200 users. Sure, you could argue it's their fault that they've hired you in the first place. But how are they supposed to assess the security of your code? They're trusting you to do that.

    Anyway, I'm getting tired of arguing against the same ignorant statements and poor excuses. We've hit a wall here.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  28. #15
  29. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2009
    Posts
    88
    Rep Power
    6
    Sorry that you feel like that Jacques1.

    I really don't think that anyone is bothered about hacking into a web site used by 200 people. I provide my services free of charge (to the Club) and it has taken 1000's of hours to develop the site.

    I value the help from this Forum as I am not a technician.

    The point is that you need to balance security against the cost and time. Or the risk against cost and time.

    So, the level of security is fine. But we have deviated from my original question which has really been answered.

IMN logo majestic logo threadwatch logo seochat tools logo