November 17th, 2013, 03:41 PM
Produce html page
At the moment I have a "back end" to my web site where a few authorised users are allowed to upload previously written html files to extend the web site (e.g. an information sheet that is updated weekly).
An alternative would be to have a Form where the authorised users could write their weekly message and post it onto the web site. I know how to do this to write the information to a file. But how can I publish this information to an html page? Can someone please help me and point me to some information/tutorial that I can read?
Sorry, I want to write this in php so that I can update various files as it is posted.
November 17th, 2013, 06:15 PM
fopen If I understand you correctly, you want to display the contents of a file on a webpage? Is it just a text file you want to use? If so fopen and fread should do what you're looking for.
November 17th, 2013, 06:19 PM
you should not allow your users to write their own HTML or upload files somewhere. This is a huge security risk and regularly leads to websites getting hacked (a recent example is Ubuntu Forums).
The users should only be able to submit raw text. You then store this text in a database. People today often use SQL database systems like PostgreSQL or MySQL. To show the text, you retrieve it from the database, escape it (never forget this part!) and echo it into your own HTML.
You don't need a tutorial for that. And given the extremely poor quality of most PHP tutorials, you probably shouldn't even look for one. Instead, learn the basics of PHP:
How to (properly) access a MySQL database with PHP
November 17th, 2013, 06:49 PM
What Jacques1 said.
P.S. There are existing CMSes that do this already (e.g., Drupal or WordPress), so you don't have to write this from scratch.
November 18th, 2013, 07:19 AM
Perhaps I should explain. The web site is password protected for members of a Club. So it is not possible to hack into it. The Committee at the moment use a word processor (I know that it is not the best approach but you have to understand that these are "luddites") to produce an html document. They then have access to a Control page where they can upload the html page onto the web site. So there is no security risk.
Hope that this is clear.
November 18th, 2013, 11:44 AM
You may think I'm being unhelpful, but this isn't just about security. It's also about best practice and what's most efficient.
CMSes like WordPress and Drupal came about for a reason. It's a lot easier to manage dynamic content through a database than through another way.
What are your reasons for not just setting up a MySQL database with a table full of HTML pages with dates and authors attached?
November 18th, 2013, 12:19 PM
Whenever I hear this sentence, I know that the security is even worse than I thought. Because people who actually know a bit about security simply wouldn't make a statement like this.
... at least that's what your Committee has decided, I guess.
Now back to reality:
- You're using passwords.
- You're dealing with "luddites". This means the password is "carol1975" and is written on a post-it note stuck to the monitor.
- The passwords are stored on the server. Let me guess: as plaintext?
- Whoever got the password can happily upload unfiltered HTML files to the server.
Yes, you do have a security problem. You can either acknowledge that and do something about it. Or you can hope that your "unhackable server" will magically protect everybody.
In my experience, the latter doesn't work too well.
And for what reason exactly?
By the way, this is exactly what happened at Ubuntu.
November 18th, 2013, 04:38 PM
That is exactly what I have currently. So the "committee" upload previously prepared pages written in html and this is "added" to the web site for authorised visitors to view and there is a table (record) of the uploaded pages.
I accept the points about security and no, I have not encrypted the passwords. But this is a small private Club of 200 members.
I am trying to make life simple for the "committee". Asking them to write html is proving difficult.
Maybe the only solution is to save the information to a table in MySQL (from the Form) and then use this as the data source rather than an html page. I already do this for one other feature in the web site. I just thought that posting a message could be made simpler.
November 18th, 2013, 05:22 PM
Any chance you could tell me the url to your unsecured site so I could do some "pen testing" to show you why security is important?
In all seriousness if you let me do this, you would end up with a defaced homepage that says the website was hacked, a back door, and me sending you a pm with all of your SQL data from the database based on what I have read about your security so far
Last edited by jack13580; November 18th, 2013 at 05:36 PM.
November 18th, 2013, 05:36 PM
I don't know that this is the only solution, but it's certainly the best. It also gives you control over how the HTML pages look. Similar to WordPress, allow people to give the page a title and to edit the content, but then when you pull that stuff out of the database, you render it with some includes, e.g.,
November 18th, 2013, 06:16 PM
I know this isn't the top priority, but, I feel it needs to be added:
Word Processor programs are not designed to output "proper" html markup.
So, even if the rest of the scheme worked, there is no guarantee that the "created" html documents would even display properly (without first stripping out the unnecessary word processor junk code).
November 19th, 2013, 03:23 AM
you could use tinyMCE that lets users write proper document which gets converted into HTML.
your committee might not be very happy when their site is hacked
November 19th, 2013, 08:41 AM
If I was designing a banking system or managing a manned space mission then security would be a big issue. But I am not. This is a small private club and the only reason for security is to ensure that members email addresses and telephone numbers remain private. It is safer stored on an on-line MySQL database (with password) with the only access through a password protected web site than on someone's private laptop in their home.
All I want to do is to post messages now and again on the web site. Currently I have a template written in MS Word that the committee can modify, save on their computer and upload through the Control page. I know that Word is not the most efficient for html but it is mush easier than teaching the committee how to use an html editor.
And they can easily format the message as the template is written using tables. This is not easily possible using Forms but it occurred to me that I would forgo this limitation in the interests of making life easier for Committee members.
So, I have concluded that I either leave things as they are or use Forms to store the message in a table.
Sorry jack13580, I could give you the URL and I don't think that you would be able to "hack into" the web site but I'm not going to take that sort of risk. For what we need the security is absolutely fine (even if you happen to find the URL of an "internal" page it will throw you out of the web site as the code on each page does a number of checks to make sure that you haven't "jumped in"; just a bit of added security).
Thanks everyone though for your input.
November 19th, 2013, 09:25 AM
Obviously, some people only learn through pain. So go ahead, touch the hotplate. Burn your fingers.
The problem is that your learning process affects many, many other people, starting with the 200 users. Sure, you could argue it's their fault that they've hired you in the first place. But how are they supposed to assess the security of your code? They're trusting you to do that.
Anyway, I'm getting tired of arguing against the same ignorant statements and poor excuses. We've hit a wall here.
November 19th, 2013, 01:52 PM
Sorry that you feel like that Jacques1.
I really don't think that anyone is bothered about hacking into a web site used by 200 people. I provide my services free of charge (to the Club) and it has taken 1000's of hours to develop the site.
I value the help from this Forum as I am not a technician.
The point is that you need to balance security against the cost and time. Or the risk against cost and time.
So, the level of security is fine. But we have deviated from my original question which has really been answered.