[nycphp-talk] using PHP to create a php file
rotsen at gmail.com
Fri Jun 9 16:08:33 EDT 2006
Yes, That is what I am have decided to do. Just reading and writing
a txt file.
The php file just include this text file.
I was having problems with the txt file until I found out that there
was a cron job that every hour chmods the values of all the
directories and files to non 755 under the web directory.
On 6/9/06, csnyder <chsnyder at gmail.com> wrote:
> On 6/7/06, Michael Southwell <michael.southwell at nyphp.org> wrote:
> > At 08:09 PM 6/7/2006, you wrote:
> > >When I try to write the new php file it fails because it has no
> > >permissions to create
> > >a file in the web directory. No httpd is being run by use nobody and
> > >the file itself is
> > >own by root.
> > >
> > >Why can I create php file on this directory?
> > You just said yourself why you can't: because your script has no
> > write permissions. chmod the target directory to 777 and you will be
> > able to write to it. Alas, so will anybody else, so there is a
> > certain security risk involved here. Only you can decide whether the
> > ability to write is worth the risk that others can also. (You might
> > however consider writing to somewhere outside the web directory if
> > that is possible in your context.)
> > Michael Southwell, Vice President for Education
> > New York PHP
> > http://www.nyphp.com/training - In-depth PHP Training Courses
> My jaw hit the desk on this one, guys. Do not allow the webserver to
> create php scripts, under any circumstances ever. It's just asking for
> Abstract the data (job listings) into a text file or sqlite database
> and give the webserver password protected write access to that. Or use
> a .csv file and edit the records by hand using Excel or EditGrid.com.
> If you need to create world-writeable directories for uploaded files
> (and you _do_ need them sometimes), you should also take steps (via
> Apache config or .htaccess) that php scripts residing in those
> directories cannot be executed.
> New York PHP Community Talk Mailing List
> New York PHP Conference and Expo 2006
> Show Your Participation in New York PHP
More information about the talk