Okay, I'm just a little newbie in programming just doing it for a past time hobby. I am just recently making a web editor for fun and the way I was doing it (Using PHP) I was told would be a bad way. I also thought about it while I was making it, and in massive sums of data transfer it would be a bad idea to do it this way. Thing is I can't think of another way to do it and was looking for someone to help me improve it, by it I mean my save method I am using. Here my codes:
Editor:
<html>
<head>
<title>Web Editor</title>
<link href="controller.css" rel="stylesheet"/>
<script type="text/javascript" src="script/editor.js"></script>
</head>
<body>
<div class="platform">
<div class="head"><div class="file"><p>File: <div id="file">C:\hello.html</div></p></div></div>
<div class="hotbar"><img src="images/save.png" class="hotbarImage" onClick="save()" />
</div>
<div class="editor"><div contenteditable="true" style="height:100%; overflow:scroll;" id="editPad"></div></div>
</div>
</body>
</html>
JS:
function save() {
var dir = document.getElementById("file").innerHTML;
var data = document.getElementById("editPad").innerHTML;
window.location = "save.php?dir="+encodeURIComponent(dir)+"&data="+encodeURIComponent(data);
}
PHP:
<?php
$dir = $_GET['dir'];
$data = $_GET['data'];
$lookFor = array("<", ">","<br>","<%2Fdiv>","<div>","</div>");
$replaceWith = array("<", ">", "", "", "","");
$newData = str_replace($lookFor,$replaceWith,$data);
$f = fopen(urldecode($dir),"w");
fwrite($f,urldecode($newData));
fclose($f);
?>
All of it is just a work in progress and need more done. But for right now, is there a better way for me to save the file with massive sums of data being transfer.
You shouldn't use a GET request for storing data for several reasons but the most important one being: GET requests have a limit to how long they can be.
If you have very large content it might just be that you can't save it because your browser wont send the URL or the server wont accept it (because it's too long).
What you can do is make a hidden form, fill the fields you need and submit it with JavaScript. Make sure to set action="post".
You've got a few major security holes. The most important one is that fopen call. I can pass any file into $dir, including /var/www/file.php and write any data to it. This can be easily exploited and someone can compromise your entire webapp, as they can write a new PHP file and read/write to your filesystem.
Don't write arbitrary files to your filesystem. You should store them in a database. Once you fix that part of your code, you'll need to deal with escaping the HTML properly.