Article | October 17th, 2008

Here is a quick way to create a configuration file from the web, used to initially setup an application or that can be expanded to allow users to modify the configuration later.

We will take advantage of the PHP’s ability to include code into an existing script. Instead of creating an initialization file that must be read and parsed, we let PHP do the parsing. The configuration file consists of a series of variable definitions. Our example script could be used to initially setup a database driven web application, such as a message board, etc. It may also be extended to allow updating of application settings at any time.

Our example will contain settings frequently used in PHP applications: values used for connecting with and querying a database and a filesystem path. Here is what the resulting configuration file might look like.

// Do not edit this file. Generated by admin script.
// Database settings
$db_user = 'me';
$db_pass = 'noneofyourbizness';
$db_host = 'localhost';
$db_name = 'mydb';
$db_table = 'mystuff';
// Paths
$base_path = 'home/users/me/mystuff';

Our goal is to accept values from a web form and write changes to a configuration file.

For example, if you wanted to create a setup script for a database driven web application, users would go to a form page with the following inputs:

db_user     Database user name.
db_pass     Database password.
db_host     Database host name.
db_name     Database name.
db_table    Name of table application uses.
base_path   Path to folder containing files
            of interest to the application.

Writing the Configuration File

function write_config()


// For every setting, add a global variable

global $db_user,$db_pass,$db_host,$db_name,$db_table;

global $base_path;

// Prepare settings

// Using single quotes is easier because you don't have to escape them. For every setting, add a line.

$settings = "<?php\n";

$settings .= "// Do not edit this file. Generated by admin script.\n";

$settings .= "// Database settings\n";

$settings .= "\$db_user = '$db_user';\n";

$settings .= "\$db_pass = '$db_pass';\n";

$settings .= "\$db_host = '$db_host';\n";

$settings .= "\$db_name = '$db_name';\n";

$settings .= "\$db_table = '$db_table';\n";

$settings .= "// Paths\n";

$settings .= "\$base_path = '$base_path';\n";

$settings .= "?>\n";

// Write out new initialization file

$fd = fopen( '/somepath/config.php', "w" )

or die ("Cannot create configuration file.");

fwrite( $fd, $settings );

fclose( $fd );


Note Because I made this a function, we need to include any variables we are going to write into the configuration as global variables or function parameters. I chose to make all variables used by the configuration file globals. They will likely be global to the whole application anyway (unless you’re using classes).

Getting Input from the User

To use this all you need is a form with inputs matching the variable names. The values get submitted and then written out as variables in the configuration file. When the configuration file is loaded by the application, the submitted values are available.

I’ve designed a form for use with the setup script.

<form action="setup.php" method="POST">

td { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small; color: #333333 }
  .formhed { background-color: #cccccc; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small; color: #333333 }
  .intputhed { background-color: #eeeeee; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: x-small; color: #333333 }

<table cellspacing="2" cellpadding="5">
   <tr class=intputhed>
      <td colspan="2" class=formhed>Setup </td>

   <tr class=intputhed>
      <td>Database User Name</td>
      <td><input type="Text" name="db_user" size="24" value="<?php echo $db_user; ?>"></td>

   <tr class=intputhed>
      <td>Database Password</td>
      <td><input type="password" name="db_pass" size="24" value="<?php echo $db_pass; ?>"></td>

   <tr class=intputhed>
      <td>Database Host</td>
      <td><input type="Text" name="db_host" size="24" value="<?php echo $db_host; ?>"></td>

   <tr class=intputhed>
      <td>Database Name</td>
      <td><input type="text" maxlength=60 size="24" name="db_name" value="<?php echo $db_name; ?>"> </td>

   <tr class=intputhed>
	<td>Database Table</td>
	<td><input type="text" maxlength=60 size="24" name="db_table" value="<?php echo db_table; ?>"> </td>

   <tr class=intputhed>
	<td>Full Path</td>
	<td><input type="text" maxlength=60 size="24" name="base_path" value="<?php echo $base_path; ?>"> </td>

   <tr class=intputhed>
	<td colspan="2">
	   <input type="Hidden" name="action" value="update_config">
	   <input type="Submit" value="Next >>"> </td>



Security Concerns

Anytime you create or write an operating system file from a web based form and script combination, you must consider how secure it is. There is potential for abuse if users can write files all over the place.

First, you should be sure that the path to the configuration file is hardwired into the script. Never let the user define this path directly from the form input. If you do have a need for the user to select from a number of configuration files, select them from an array of allowed paths. The form should only allow the users to indicate which path they are selecting, for example, by an option number obtained from a drop down menu.

Second, you should be sure the configuration file is not writeable by anyone on the net. It should be writeable only by the owner and any script granted access to the filesystem.

If PHP is not running under your user id, then you will have to have the user manually make the file world writeable until the new file is written out, then have them manually change the permissions so it not world writeable.

Third, I suggest user input be run through a function that strips any HTML tags, SSI includes, Unix system characters or commands before writing the configuration out. You may need to allow some of these given the purpose of the input. For example, if the input is for a snippet of HTML (you still want to be careful, because submitting a bit of JavaScript could wreak havoc if displayed in your browser and a snippet of PHP code could also do harm).

There are no comments yet, add one below.

Leave a Comment

You must be logged in to post a comment.