tags:

views:

72

answers:

5
+1  Q: 

What's the easiest and safest way to record data being inputted by a user on a web site

Apologies, this is a tragically simple question that will bore most of you.

I need to implement the simplest "leave your email and we'll contact you" web page. The simplest thing I could think of is doing an HTML form which calls a PHP script which appends the data in some file on the server. Easy to implement, but now I'm wondering if it's totally hackable. Is it? Are there obvious better ways that are still simple?

thanks

f

+1  A: 

It's all right, but you may find a full database or SQLite a better option.

Just make sure you put the file in a place that's not accessible to the other users (e.g. outside the web server root or in a protected directory), otherwise everyone would be able to see the comments.

Artefacto  2010-06-17 17:53:01
A: 

Whatever solution you choose (file, database, email, etc.), the safety will depend on the way you implement it:

  • How are you filtering the input?
  • How many submits do you permit per ip address?
  • etc.
jeroen  2010-06-17 17:54:16
I'm not really filtering input or limiting submits per IP address - but they both sound like good ideas. Anything else? Never thought one would have to be so careful for something this simple - I guess it's this is the beauty of learning :)BTW, do you know of any code samples that show one skilled in the art (clearly not me) would do this? I would assume this is pretty common code snippet for early on in a site's life, and yet I haven't come across something that good - I'm probably not searching properly. thank you!
fred august  2010-06-17 18:27:05
If you are using a file, you definitely need to put it somewhere outside of your web-site root.
jeroen  2010-06-17 18:43:48
+1  A: 

There are a few things you could do. First of all, since you're recording an email address, you could just use PHP's mail() function to send an email to somewhere centralized.

This sounds like a beta signup page, and a file would be ok if you don't have a database available. Just make sure that the file is stored outside of the served folder (above public_html, for example).

Also make sure that you regex or clean the data so that someone can't use it as a zombie form for spamming. Just cut off the email address input after the first \r\n and that will fix it.

Jordan  2010-06-17 17:54:26
I didn't get the "cut off" comment. What will it fix? What if I wanted two paragraphs?
Artefacto  2010-06-17 17:56:38
Ah sorry, I didn't get it was just an e-mail.
Artefacto  2010-06-17 17:58:10
Yes, just on the email address fields, otherwise it can be stuffed with multiple addresses. That's not an issue if you're not using mail(), most likely, but it would reduce spam clutter in your file.
Jordan  2010-06-17 18:05:11
+1  A: 

If you do decide to use a database (which I would, if you can: http://www.w3schools.com/PHP/php_mysql_intro.asp), make sure you sanity check all of your data (http://php.net/manual/en/function.mysql-real-escape-string.php) before you insert it into the database.

I would use a database as it makes it many times easier to analyse your data or even output in in a nice format on the page.

Chief17  2010-06-17 17:56:47
+1  A: 

By hackable, do you mean could someone damage your file? Or read it? Or...? If I wanted to do what you said, I'd do this:

<?php
if(isset($_POST['submit_button_name'])){
    $email = htmlentities($_POST['email_address_field_name'], ENT_QUOTES);
    $handle = fopen("email_list.txt", "a");
    fwrite($handle, "\n".$email);
    fclose($handle);
}
?>

<form> ... </form>

It would be private in the sense that someone wouldn't know where to find it, and safe because I've used the htmlentities() function to remove any possible XSS.

Andy  2010-06-17 18:00:59
actually you cant have xss because its in a .txt file. although i'd be worried about writing php code that could be included in an advanced LFI attack.
Rook  2010-06-17 18:16:33
I'm concerned with someone accessing email_list.txt and stealing email addresses, but it sounds from the above comments like this should be manageable. BTW, is there an obvious way for someone to access the source code of my php script and thus know that I'm saving email addresses in email_list.txt? I sort of assumed that this would be done the same way one looks at the HTML source code for a page in a browser but haven't been able to replicate that.
fred august  2010-06-17 18:17:20
@The Rook: ah, yes, good point.@fred august: PHP is handled 'server-side', which means it is all parsed on the server; only your client-side code (e.g. HTML) will be viewable to the public.
Andy  2010-06-17 18:22:23
thank you guys!
fred august  2010-06-17 18:30:50

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?