NYCPHP Meetup

[csnyder]

On 6/7/06, Michael Southwell <michael.southwell at nyphp.org> wrote:
> At 08:09 PM 6/7/2006, you wrote:
> >When I try to write the new php file it fails because it has no
> >permissions to create
> >a file in the web directory.  No httpd is being run by use nobody and
> >the file itself is
> >own by root.
> >
> >Why can I create php file on this directory?
>
> You just said yourself why you can't:  because your script has no
> write permissions.  chmod the target directory to 777 and you will be
> able to write to it. Alas, so will anybody else, so there is a
> certain security risk involved here.  Only you can decide whether the
> ability to write is worth the risk that others can also.  (You might
> however consider writing to somewhere outside the web directory if
> that is possible in your context.)
>
>
> Michael Southwell, Vice President for Education
> New York PHP
> http://www.nyphp.com/training - In-depth PHP Training Courses
>

My jaw hit the desk on this one, guys. Do not allow the webserver to
create php scripts, under any circumstances ever. It's just asking for
trouble.

Abstract the data (job listings) into a text file or sqlite database
and give the webserver password protected write access to that. Or use
a .csv file and edit the records by hand using Excel or EditGrid.com.

If you need to create world-writeable directories for uploaded files
(and you _do_ need them sometimes), you should also take steps (via
Apache config or .htaccess) that php scripts residing in those
directories cannot be executed.