Page 370 - Beginning PHP 5.3
P. 370
Part III: Using PHP in Practice
Notice that the filename and fileContents field values are passed through PHP ’ s
htmlspecialchars() function to encode characters such as & , < , and > in the markup. This is a good
security measure to take:
< textarea name=”fileContents” id=”fileContents” rows=”20” cols=”80”
style=”width: 100%;” > < ?php
echo htmlspecialchars( file_get_contents( $filepath ) )
? > < /textarea >
You can find out more about htmlspecialchars() , and security in general, in Chapter 20.
The saveFile() Function
saveFile() is called when the user sends back the edit form containing the file contents. It reads the
filename from the form data — passing the filename through basename() to sanitize it — then stores the
full path to the file in $filepath :
$filename = basename( $_POST[“filename”] );
$filepath = PATH_TO_FILES . “/$filename”;
Next the function checks that the file exists; if so, it writes the file contents to the file by calling file_
put_contents() , then redisplays the file list page by calling displayFileList() . If there was a
problem, an appropriate error message is displayed and the script exits. Notice that the function uses
the === operator to test if the return value of file_put_contents() exactly equals false . Merely
using the == or ! operator wouldn ’ t do the job. Why? Because file_put_contents() returns the
number of characters written if successful. Because this value will be zero if the file contents happen
to be empty, and 0 == false , using == or ! would incorrectly exit the script with an error in this
situation:
if ( file_exists( $filepath ) ) {
if ( file_put_contents( $filepath, $_POST[“fileContents”] ) === false )
die( “Couldn’t save file” );
displayFileList();
} else {
die( “File not found” );
}
Find out more on true , false , and the === operator in Chapter 3.
The createFile() Function
If the user clicks the Create File button in the file list page, createFile() is called to attempt to create
the new file. The function reads and sanitizes the filename field sent from the form. If the filename is
empty, the file list page is redisplayed with an error message:
$filename = basename( $_POST[“filename”] );
$filename = preg_replace( “/[^A-Za-z0-9_\- ]/”, “”, $filename );
if ( !$filename ) {
332
9/21/09 9:10:23 AM
c11.indd 332
c11.indd 332 9/21/09 9:10:23 AM
