Something wrong with PHP

String concatenation is done with dots (.), and not commas (,).


fwrite($handle, "<h2 class="Roboto-Slab">$title</h2>", "<br>", "<h3 
class="Roboto-Slab">By $name</h3>", "<p class="Roboto-Slab">$content</p>");


fwrite($handle, "<h2 class="Roboto-Slab">$title</h2>". "<br>". "<h3 
class="Roboto-Slab">By $name</h3>". "<p class="Roboto-Slab">$content</p>");

And it will work. However, this concatenation is useless. You can do simply:

fwrite($handle, "<h2 class="Roboto-Slab">$title</h2><br><h3 class="Roboto-Slab">By $name</h3><p class="Roboto-Slab">$content</p>");

Also check if comments.html file has CHMOD 777. Furthermore, enable error_reporting on your php.ini file, as the PHP error thrown on this case could guide you to the error line easily.

Here’s an implementation of your code secured against stored XSS (the vulnerability that allows people to insert HTML and Javascript code on your page) as well as RCE (remote code execution):

    $title = strip_tags($_POST['title']);
    $name = strip_tags($_POST['name']);
    $content = nl2br(htmlspecialchars($_POST['commentContent']));
    $handle = fopen("comments.html", "a");
    fwrite($handle, "<h2 class="Roboto-Slab">$title</h2><br><h3 
    class="Roboto-Slab">By $name</h3><p class="Roboto-Slab">$content</p>");


    <form action="" method="POST">
    <textarea class="comment-boxmain" rows="20" cols="40" name="commentContent" 
    placeholder="Start Typing...."></textarea><br>
    <input class="comment-boxname" placeholder="Title" type="text" 
    <input class="comment-boxname" placeholder="Your Name" type="text" 
    <input class="comment-btn" type="submit" value="post"><br>
    <?php echo file_get_contents("comments.html"); ?>

Also, do some searching about database engines (if you want to still using files, take a look on implementation of flat-files databases, as it’s called).

Leave a Comment