Reading and writing files in PHP

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Marc
    #1

    Reading and writing files in PHP

    Hello,
    I have a question about how PHP handles multiple file reads/ writes.
    I made a page containing a self-submitting form where the user can
    type his name, topic and a text. When he submits the form, PHP reads
    the .php file in a variable. It then processes it: adds the user
    comments to the var and writes the modified file back to disk. Next
    time the user opens the page (s)he sees te comments (s)he and others
    added.
    So what I have is a very simple 'Blog' without using a database. The
    ..php file is modifying itself every time a user submits something.

    Questions[color=blue]
    > What happens when 2 (or more) user simultaneously submit this form?
    > What happens when user A submits a form and _while_ the server is processing the file (not having written yet the modifies file) user B submits his form?
    > What happens when multiple users submit a form while the server is processing a submit?
    > Does PHP keep track of who's first or do I have to build a locking mechanism to secure things?
    > What are other pitfalls and security related issues using this approach I oversee?[/color]

    This is just curiosity - I am not planning to create a fill fledged
    ssystem using this technique. Just wondering, learning server side
    webscripting.

    Thanks a lot,

    Marc
    Tags: None
    • Mark Hewitt
      #2
      Re: Reading and writing files in PHP


      "Marc" <meelzooi2000@y ahoo.com> wrote in message
      news:acad69df.0 309010758.2de3f ef5@posting.goo gle.com...[color=blue]
      > Hello,
      > I have a question about how PHP handles multiple file reads/ writes.
      > I made a page containing a self-submitting form where the user can
      > type his name, topic and a text. When he submits the form, PHP reads
      > the .php file in a variable. It then processes it: adds the user
      > comments to the var and writes the modified file back to disk. Next
      > time the user opens the page (s)he sees te comments (s)he and others
      > added.
      > So what I have is a very simple 'Blog' without using a database. The
      > .php file is modifying itself every time a user submits something.
      >
      > Questions[color=green]
      > > What happens when 2 (or more) user simultaneously submit this form?
      > > What happens when user A submits a form and _while_ the server is[/color][/color]
      processing the file (not having written yet the modifies file) user B
      submits his form?[color=blue][color=green]
      > > What happens when multiple users submit a form while the server is[/color][/color]
      processing a submit?[color=blue][color=green]
      > > Does PHP keep track of who's first or do I have to build a locking[/color][/color]
      mechanism to secure things?

      Try a simple flock() to prevent multiple users from overwriting the file,
      this will give you better concurrency (but not perfect). Read up on the
      flock function in the PHP manual. I was under the impression it worked only
      on *nix boxs, but seems it may also work on 2000/Xp/Nt with NTFS.

      [color=blue][color=green]
      > > What are other pitfalls and security related issues using this approach[/color][/color]
      I oversee?

      A major problem is code injection. Anybody can enter PHP code into the input
      box on the submit form, then you save it to you php file, and it gets
      executed, allowing my to execute arbitrary code on your server.

      What will happen:

      At your form, I enter:
      Text: [ <?php phpinfo(); ?> ]

      If your file (blog.php) you have:

      Jane: Yo!
      Bob: Hallo world!!!

      And after my form submission it becomes:

      Jane: Yo!
      Bob: Hallo world!!!
      <?php phpinfo(); ?>

      so now of course, when I reopen it, ...
      http://www.yourdomain.com/blog.php


      it executes phpinfo() and reports your system configuration back to me.
      Very useful, and of course the attacks can get much worse, I can execute any
      php code I like, so I can do anything!!

      One option here is to make you "blog" page a static html, i..e give it a
      ..html extension and don't execute dynamic code in it. If you have to execute
      code in it for other purposes, make sure you at least strip away all
      possible php code tags, that is <?, <?php, <?=, <%, <%=, %> and ?>

      Thanks
      Mark
      ---------------------------------------------------------------------------
      Windows, Linux and Internet Development Consultant
      Email: corporate@scrip tsmiths.com
      Web: http://www.scriptsmiths.com
      ---------------------------------------------------------------------------

      [color=blue]
      >
      > This is just curiosity - I am not planning to create a fill fledged
      > ssystem using this technique. Just wondering, learning server side
      > webscripting.
      >
      > Thanks a lot,
      >
      > Marc[/color]




        Comment

        • Marc
          #3
          Re: Reading and writing files in PHP

          "Mark Hewitt" <corporate@scri ptsmiths.com> wrote in message news:<3f5431ea$ 0$64719@hades.i s.co.za>...[color=blue]
          > "Marc" <meelzooi2000@y ahoo.com> wrote in message
          > news:acad69df.0 309010758.2de3f ef5@posting.goo gle.com...[color=green]
          > > Hello,
          > > I have a question about how PHP handles multiple file reads/ writes.
          > > I made a page containing a self-submitting form where the user can
          > > type his name, topic and a text. When he submits the form, PHP reads
          > > the .php file in a variable. It then processes it: adds the user
          > > comments to the var and writes the modified file back to disk. Next
          > > time the user opens the page (s)he sees te comments (s)he and others
          > > added.
          > > So what I have is a very simple 'Blog' without using a database. The
          > > .php file is modifying itself every time a user submits something.
          > >
          > > Questions[color=darkred]
          > > > What happens when 2 (or more) user simultaneously submit this form?
          > > > What happens when user A submits a form and _while_ the server is[/color][/color]
          > processing the file (not having written yet the modifies file) user B
          > submits his form?[color=green][color=darkred]
          > > > What happens when multiple users submit a form while the server is[/color][/color]
          > processing a submit?[color=green][color=darkred]
          > > > Does PHP keep track of who's first or do I have to build a locking[/color][/color]
          > mechanism to secure things?
          >
          > Try a simple flock() to prevent multiple users from overwriting the file,
          > this will give you better concurrency (but not perfect). Read up on the
          > flock function in the PHP manual. I was under the impression it worked only
          > on *nix boxs, but seems it may also work on 2000/Xp/Nt with NTFS.
          >
          >[color=green][color=darkred]
          > > > What are other pitfalls and security related issues using this approach[/color][/color]
          > I oversee?
          >
          > A major problem is code injection. Anybody can enter PHP code into the input
          > box on the submit form, then you save it to you php file, and it gets
          > executed, allowing my to execute arbitrary code on your server.
          >
          > What will happen:
          >
          > At your form, I enter:
          > Text: [ <?php phpinfo(); ?> ]
          >
          > If your file (blog.php) you have:
          >
          > Jane: Yo!
          > Bob: Hallo world!!!
          >
          > And after my form submission it becomes:
          >
          > Jane: Yo!
          > Bob: Hallo world!!!
          > <?php phpinfo(); ?>
          >
          > so now of course, when I reopen it, ...
          > http://www.yourdomain.com/blog.php
          >
          > it executes phpinfo() and reports your system configuration back to me.
          > Very useful, and of course the attacks can get much worse, I can execute any
          > php code I like, so I can do anything!!
          >
          > One option here is to make you "blog" page a static html, i..e give it a
          > .html extension and don't execute dynamic code in it. If you have to execute
          > code in it for other purposes, make sure you at least strip away all
          > possible php code tags, that is <?, <?php, <?=, <%, <%=, %> and ?>
          >
          > Thanks
          > Mark
          > ---------------------------------------------------------------------------
          > Windows, Linux and Internet Development Consultant
          > Email: corporate@scrip tsmiths.com
          > Web: http://www.scriptsmiths.com
          > ---------------------------------------------------------------------------
          >
          >[color=green]
          > >
          > > This is just curiosity - I am not planning to create a fill fledged
          > > ssystem using this technique. Just wondering, learning server side
          > > webscripting.
          > >
          > > Thanks a lot,
          > >
          > > Marc[/color][/color]


          Mark,

          thanks for the tip. The code injection problem I solved with
          str_replace. I only care about php and HTML/JavaScript tags since a
          ..php file doesn't get parsed by a asp or cf server... It seems to work
          OK on this small server but then all you can do is display values in
          the order they are entered by successive users - nothing dynamic like
          sorting, categorizing etc a database allows you to.

          Marc

            Comment

            Previous template Next
            Working...