PHP Markdown/file editor Security

Question

so I am working on a super simple blog that uses the markdown format with rss.reader for the posts. It is extremely simple yet complicated for the people that I want to be able to make posts. So I have created a simple "file creator" if your will type form that uses hallojs. It takes the converted markdown code for hallowjs and writes it to a file based on user input (2014-04-08_markdown-file-test.md). It is composed of index.html and post.php. This is going smoothly except for one issue:

There are three specific "websites" that any of these blog posts can be created on, so I included a select option, which means that my directories are now available and easy picking for malicious crackers. As a security measure I have included the necessary .htaccess to "deny from all" and prevent anyone from sneaking in, but based on the form, they would easily be able to inject their own files and run them, so I am trying to figure out a way to prevent this. My first thought was declaring the directory in the php file as opposed to plainly displaying on the index.html however I think I confused myself and now I am going in circles. Here are my sources:

index.htm

 <article>
 <div class="editable" contenteditable="true"> //hallojs user-input
 <h1>Create new post</h1>

 <p> Please edit your blog post! :D
 </p>
 </div>
 </article>

 <form name="form1" method="post" action="post.php">
 <table width="100%" border="0" cellspacing="1" cellpadding="3">

 <textarea id="source" id="textfield" name="textfield"></textarea> //markdown output
 <tr>
 <td width="16%">Date</td>
 <td width="2%"></td>
 <td width="82%">
 <input name="date" type="text" id="date" size="50"></td>
 </tr>
 <tr>
 <td>Title</td>
 <td></td>
 <td><input name="title" type="text" id="title" size="50"></td>
 </tr>
 <tr>
 <td>Which Site?</td>
 <td></td>
 <td><select name="dir">
 <option value="path/to/dir1">Site1</option>
 <option value="path/to/dir2">Site2</option>
 <option value="path/to/dir3">Site3</option>
 </select></td></tr>
 <td>&nbsp;</td>
 <td>&nbsp;</td>
 <td><input type="submit" name="Submit" value="Submit"></td>
 </table></form>

post.php

 <?php
 $date        = $_POST['date'];
 $title       = $_POST['title'];
 $underscore  = "_";
 $dir         = $_POST['dir'];
 $myfile      = fopen("$dir/$date$underscore$title.md", 'w');
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
          $myfile or die("Can't open file for writing.");
          fwrite($myfile, $_POST['textfield']);
          fclose($myfile);
          echo "Content saved. ";
          echo "Your file: <b>" ;
          echo $date;
          echo $underscore;
          echo $title . ".md</b> ";
          echo "was successfully created!";

    }


// Print the form     
 ?>

I was thinking maybe changing the value of the dropdowns to "dir1... dir2... dir3.." and doing something like this but I just want to make sure it's secure:

 <?
 $dir = $_POST['dir'];
 if($dir == "dir1")
 {
 $dir == "path/to/dir1"

 }elseif { $dir =="dir2")
 {
 $dir == "path/to/dir2"
 }; // etc..

I do not think that'll work though just from looking at it. Any help is appreciated. Oh and, if anyone configure out my $underscore issue that'd be awesome. The file name output must have an underscore after the date. It didn't work no matter what I tried by putting just the underscore, otherwise I get errors like "$date_ has not been set" and my file gets named simply the $title.md input. It's funny really.

Answer 1

Sooo... I figured it out! Here is what I changed in case anyone has the same issue (would be an odd one):

<?php
$date        = $_POST['date'];
$title       = $_POST['title'];
$underscore  = "_";
$dir         = "";
if(!isset($_POST['dir'])) $_POST['dir']="";
switch($_POST['dir']) {
case "Site1":    $dir = "path/to/site1"; break;
case "Site2":    $dir = "path/to/site2"; break;
case "Site3":    $dir = "path/to/site3"; break;    
}

$myfile      = fopen("$dir/$date$underscore$title.md", 'w');
if ($_SERVER['REQUEST_METHOD'] == "POST"){

$myfile or die("Can't open file for writing.");
fwrite($myfile, $_POST['textfield']);
fclose($myfile);
echo "Content saved. ";
echo "Your file: <b>" ;
echo $date;
echo $underscore;
echo $title . ".md</b> ";
echo "was successfully created to the website: <b>";
echo $_POST['dir'];
echo "</b>";

    }


// Print the form
?>

I am surprised it worked because I have no idea what the hell I Was doing it just seemed logical so I did that.

The funny thing is my original idea worked, elseif all over the place looked extremely ugly though so I decided to use a switch statement since they are so clean and purdddy. I have yet to figure out the $underscore issue... But for the most part it is more secure now! :}