Store form data in a PHP file

I am building a template that I can distribute, and I need a user-friendly way that users can fill in their information without touching code (this is just HTML, CSS JS and PHP. Not WordPress). So if the user types in their name, place of work, uploads an image, etc then submits, it would appear in the actual .php file.

Example: After user submits, “name” to appear in between and h1 tag. This should be visible within the actual file, as well as the website.

I’m aware this is very risky and prone to attacks, but I looked everywhere and can’t find anything that exists. Maybe I’m asking the wrong questions? The closet thing I’ve found are “php to txt.file” tutorials. Beginning to think I’ll have to learn a new language to get this done.

This is what I have so far. Most likely won’t be using it, but, is there a better way to do this?


<form  method="POST">
    <input name="name" type="text" required>
    <input name="email" type="text" required>
    <input type="submit" value="Submit">
   $name = $_POST['name'];
   $email = $_POST['email'];
   $file = fopen("index.php", "a");
   fwrite($file, $name . "\n");
   fwrite($file, $email . "\n");


Well, I will assume you mean that you are needing to replace data into a template.
That is not exactly what you said. But, any file that is created using text can be fixed up as needed.
A PHP file is just a text file. PDF’s are coded and require a library to access. Text files are easy.
Are you attempting to create a text file, document, PDF, Excel file? Depends on the process you use.

Let’s say it is just a text file. In the text file put some unique “tag” that pertains to the field you want to replace it with. Let’s say start with NAME. Create a unique tag, let’s say “{{{name}}}” which would never be created by accident. Then, create the template like this:
$template = “
Welcome to our server, Mr. {{{name}}},
We are happy to serve you… ETC…”
You can create an entire template with whatever text file or letter you need.

Next, once the user posts on the live page, you use code like this to fix it up correctly…

   $template = file_get_contents("your_template.tmp");  //  Some template file
   ...  Assumes you already got the name and email...
   $template = str_replace("{{{name}}}", $name, $template);  //  Replaces the tag with the live data
   $template = str_replace("{{{email}}}", $email, $template);  //  Do as many of these as needed

Just a quick starting point for you. If you give us a little more info, we can help further…

Firstly, thank you for replying and the point, I’ll give that a try as well.

I’m not trying to create any new files, but add text (and images) through form input to an existing .php file. And possibly have the ability to replace what’s been added. I’m building a front-end template (like a digital cv for example) and the user puts their information into the form. Whatever goes into the form, shows up on the website and in the existing .php file.

For example:

  1. The H1 tag is blank in about.php We want to fill that with text so it shows up in both about.php and seen on the website
  2. User opens up setup.php, and they’re met with a form
  3. User fills out form then hits “submit”
  4. After submission, the H1 tag inside about.php is now filled with the user’s name
  5. Ideally would need the option to replace what was added (this part I think I can figure out)
  6. There may need to be variables that go into different parts of the template, like $work = $_POST[‘work’]; needs to go into an H3 tag in another .php file.

I’ve recently been looking at pure JS CRUD methods as that seems to make sense in this case but, I don’t even know where to start. I’m a noob to both PHP and JS. Any more help or some direction will be much appreciated.

Well, I just told you how to do it. Any PHP file is just a text file with a different extension…
So, in your about.php add:

echo "<H1>{{{name}}}</H1>";

And, change it with the posted data. To load the about.php as a template, you can use:

$about = file_get_contents("about.php");

And, just use the replace command I showed you to replace it. Should work with ease…

Oh, if the about.php contains standard HTML, it works the same way without needed the echo part…

More on your comments. PHP is SERVER-SIDE only and JS is CLIENT-SIDE only.
So, you would not want to use JS as it would need to make server AJAX calls and would not be as secure.
But, I gave you how to do it securely with PHP using the posted data. And, it works as I have done it that way many times for various reasons.

Now, with all the last couple posts said, you can also just save it in a text file or in a database table and have the about.php file load the text file or database records. In this way, you never need to alter the actual about.php file. It would always be the same, but, load the text from a DB or text file…
Might make more sense doing that way. All programming puzzles can be solved in multiple ways…

Yeah, I still need to read up on databases as well.

Ok, so either I’m doing this wrong or having a difficult time understanding. Re-reading your first comment, I’m guessing I completely remove the fopen, fwrite, fclose functions so my form.php now has this:

// form is still the same 
   $template = file_get_contents("./templates/tabs/about.php");
   $name = $_POST['name'];
   $email = $_POST['email'];
   $template = str_replace("{{{name}}}", $name, $template);
   $template = str_replace("{{{email}}}", $email, $template);

And my about.php has (I tried with and without the echo):

<?php echo "<h1>{{{name}}}</h1>"; ?>
<?php echo "<p>{{{email}}}</p>"; ?>

I also created a .txt file that’s ready with $template = “{{{name}}} {{{email}}}”; for simplicity.


Well, it appears you have the basic understanding of some of the ways to handle this.

Of course, you are not protecting your system from hackers using that code as-is.
You should validate the name and email to insure they are safe and not hacked inputs.
Read up on filter_input() function for that. And, the {{{ }}} was just something I stuck in as an example.
You could change it to any unique sequence you like.

You are welcome!

I do intend on securing this entire thing, so no worries there. Ok, I’ll also make note of the filter_input function. Yes, I have tried different unique name but, sadly, no luck. I’ll keep on tinkering if I can get this to work, thanks again.

It is simple to test the progress and debug it. Here are some examples…

After you load the template (about.php), put a line under that line that gives you the output you loaded.


This will stop the execution and show you the file. Of course it is PHP so it will show you the source,
not the live output. But, this way you can see if it retrieved the file correctly. Remove the line if okay.

You can do the same for name and email to see what is being retrieved. Also, lastly, you can show
the outputs after each of the replaces to see if each are working okay.

Just some more thoughts on how to debug code… Good luck. (Leaving shortly for many hours!)

You need some type of user authentication and user permission system to control exactly who can view the setup form(s) and have the form processing coded executed.

Web servers are stateless. Any post data is lost when the form processing code ends. You must store the submitted data somewhere. A database is the simplest method, requiring the least amount of code to both store and retrieve the data. Storing the data in a file will require you to store it in such a way that whatever a value might contain, such as a tab, comma, quote, semi-colon, new-line, or any other permitted character, that could have meaning in a file storage format, won’t break the formatting in the file. One such format that would work for this is using JSON encoded data.

You appear to initially have wanted to literally put the submitted values into the desired locations in the source .php file(s) and save the .php files. This is problematic since it can easily result in breaking the base markup in the file, being unable to find and replace previously saved values, keeping files up to date and in sync, or updating the base template with new/better markup.

This is why @ErnieAlex has suggested using tags in a template file, that get replaced, at run-time (this point perhaps was not clear), with the actual saved values. The processing to display any web page would be - read the saved values (database or file), read the template file(s) for the current page, apply htmlentities() to the values right before they are being used (in order to prevent any html entities in them from breaking the markup on the web page and to prevent any php code in a value from being recognized and executed via an eval() statement that would be needed to get your own php code in the template to run - it won’t run using the current code), replace the tags in the template (which is now in a php variable) with the corresponding values, and finally output the result to the browser.

Sponsor our Newsletter | Privacy Policy | Terms of Service