save_config.php

<?php
// save_config.php - writes config.php safely for a small allow-list of keys
header('Content-Type: application/json');

function fail($msg, $code = 400){
    http_response_code($code);
    echo json_encode(["ok" => false, "error" => $msg]);
    exit;
}

$data = json_decode(file_get_contents('php://input'), true);
if (!is_array($data)) {
    fail("Invalid JSON.");
}

// Allow-list keys
$allowed = [
    "server_name",
    "server_desc",
    "color_bg",
    "color_name",
    "color_text",
    "showdisk",
    "custom_css",
];

// Normalize values as strings
$out = [];
foreach ($allowed as $k) {
    $v = $data[$k] ?? "";
    if (!is_string($v)) $v = (string)$v;
    $out[$k] = $v;
}

// Basic sanitization (keep it simple; you can tighten later)
foreach (["color_bg","color_name","color_text"] as $c) {
    // allow hex colors like #fff or #ffffff; if invalid keep as-is but trimmed
    $out[$c] = trim($out[$c]);
}
$out["showdisk"] = trim($out["showdisk"]);
$out["server_name"] = trim($out["server_name"]);
$out["server_desc"] = trim($out["server_desc"]);

// Escape for single-quoted PHP strings
function php_sq($s){
    return str_replace(["\\", "'"], ["\\\\", "\\'"], $s);
}

$php  = "<?php\n";
$php .= "\$server_name = '" . php_sq($out["server_name"]) . "';\n";
$php .= "\$server_desc = '" . php_sq($out["server_desc"]) . "';\n";
$php .= "\$color_bg = '" . php_sq($out["color_bg"]) . "';\n";
$php .= "\$color_name = '" . php_sq($out["color_name"]) . "';\n";
$php .= "\$color_text = '" . php_sq($out["color_text"]) . "';\n";
$php .= "\$showdisk = '" . php_sq($out["showdisk"]) . "';\n";
$php .= "\$custom_css = '" . php_sq($out["custom_css"]) . "';\n";

$result = @file_put_contents(__DIR__ . "/config.php", $php, LOCK_EX);
if ($result === false) {
    fail("Could not write config.php (check permissions).", 500);
}

echo json_encode(["ok" => true]);