1

Hey i'm trying to write to my "config.php" file but it just won't work. I am using the code below. using this code it doesn't come up with any errors it just doesn't write the string.

 $myFile = "config.php";
      $fh = fopen($myFile, 'w') or die("can't open file");
      $stringData = "<?php\n";
      fwrite($fh, $stringData);
      $stringData = "$db_user = '{$dbuser}';\n";
      fwrite($fh, $stringData);
      $stringData = "$db_pass = '{$dbpass}';\n";
      fwrite($fh, $stringData);
      $stringData = "$db_name = '{$dbname}';\n";
      fwrite($fh, $stringData);
      $stringData = "$db_host = 'localhost';\n";
      fwrite($fh, $stringData);
      $stringData = "$db_host = 'mysql_connect($db_host, $db_user, $db_pass) or die(mysq_error());\n";
      fwrite($fh, $stringData);
      $stringData = "$db_host = 'mysql_select_db($db_name) or die(mysql_error());\n";
      fwrite($fh, $stringData);
      $stringData = "$db_host = 'function protect($str) {\n";
      fwrite($fh, $stringData);
      $stringData = "$db_host = '   return mysql_real_escape_string(urldecode($str));\n";
      fwrite($fh, $stringData);
      $stringData = "$db_host = '}\n";
      fwrite($fh, $stringData);
      $stringData = "$db_host = '?>\n";
      fwrite($fh, $stringData);
      fclose($fh);

What am i doing wrong?

Duncan Palmer
  • 2,865
  • 11
  • 63
  • 91
  • 2
    Are the permissions correct? Do you get any errors? What actually happens? – Jonathon Aug 13 '11 at 23:30
  • Please take this to heart: You should never post that "you're getting an error" or "it doesn't work" without telling us *what* error, or *how* it doesn't work. We can't help you otherwise. – user229044 Aug 13 '11 at 23:34
  • @Duncan: as explained in my answer below, you are not properly escaping your variables. When confronted with a problem like this, try to get the smallest piece of code that works, then build from there. In this instance, comment all lines except the first one, then uncomment the second, then test, etc. – JRL Aug 13 '11 at 23:39

3 Answers3

2

You need to properly escape the $ characters when you want them to be output, like so:

$stringData = "\$db_user = '{$dbuser}';\n";
JRL
  • 76,767
  • 18
  • 98
  • 146
  • @Duncan Specifically, you seem to think you need to use `"{$variable}"` to substitute the value into the string. You don't. Both `"$db_user"` and `"{$db_user}"` will cause the value of `$db_user` to be interpolated into the string. – user229044 Aug 13 '11 at 23:36
  • @Duncan I mean, you're using strings like this: `"$db_user = '{$dbuser}';\n";` which seems to imply you don't realize this is identical to `"{$db_user} = '{$dbuser}'"` or `"$db_user = '$dbuser'"`. You don't need the `{}`. It looks like you're intending to write the literal string `"$db_user"` to the file, but this isn't what you're doing. If `$db_user` isn't set, you're going to write something like `" = 'username'"` to the file. – user229044 Aug 13 '11 at 23:38
1

look! if you want to write something to file like:

$stringData = "$db_host = 'localhost';\n";


you should escape it!

$stringData = "\$db_host = 'localhost';\n";

and 

  $stringData = "$db_host = 'mysql_connect($db_host, $db_user, $db_pass) or die(mysq_error());\n";

why you quoted mysql function????

undone
  • 7,857
  • 4
  • 44
  • 69
1

What am i doing wrong?

The big thing you are doing wrong is confusing code and data. Having self-modifying code on a webserver is a recipe for disaster.

But assuming you actually want your application to be hacked and destroyed...You need to escape references to variables to avoid them being interpolated. i.e.

fwrite($fh, '$db_user = ' . "'{$dbuser}';\n");

You should also provide meaningful explanations of why your code is not behaving as you expect (a bit more information than "it just won't work"). Assuming the file is not being written / amended and the script is bombing out with "can't open file", it's probably a permissions problem - but since you've provided no details of which OS this is, we can't tell you how to fix that.

Also you're quoting function names - does that mean you are using eval to ivoke the self-modified coe at runtime? OMG!

symcbean
  • 47,736
  • 6
  • 59
  • 94
  • i'm new to php :S but the problem is that it just doesn't write to the file. No errors come up at all. – Duncan Palmer Aug 13 '11 at 23:44
  • 1
    if you're not seeing the die() message then it's not dying - so it's writing the file - just not the file you expect / in the location you expect. – symcbean Aug 14 '11 at 00:13