I have a blogsystem where users can enter a name for a free url and the content which should be displayed on the url.
So.. the html-tags have to be rendered in browser but when they write php-code or other similar things they should not be executed when the user then visits the new site.
Right now I do it like this:
$new_url = $_POST["newurl"];
$header = file_get_contents("./header.php");
$part1 = "<?php echo html_entity_decode(\"";
$content = htmlspecialchars($_POST["content"]);
$part2 = "\"); ?>";
$footer = file_get_contents("./footer.php");
file_put_contents("./$new_url".".php",$header.$part1.$content.$part2.$footer);
Like that the html is rendered correctly in the users browser when he calls domain.tld/"url-he-entered".php
But I am unsure if this is a safe way or could the user still enter php-code in the content and it would be executed when he loads the new url?
The comments from @CD001 solved the issue:
The whole idea is a security nightmare anyway mind - ideally you don't want a public facing application able to write anything within the DOCROOT unless you've got a really good handle on the security. You'd be better off storing whatever they enter in a database then using
mod_rewriteto hijack the URLs so that whatever the user's URL is, it pulls in your PHP but drops in their sanitised content from the DB (you could use something like http://htmlpurifier.org/).