NYCPHP Meetup

[nycphp-talk] using PHP to create a php file

Nestor rotsen at gmail.com
Fri Jun 9 16:08:33 EDT 2006


Yes,  That is what I am have decided to do.  Just reading and writing
a txt file.
The php file just include this text file.

I was having problems with the txt file until I found out that there
was a cron job that every hour chmods the values of all the
directories and files to non 755 under the web directory.


Thanks,

Néstor :-)


On 6/9/06, csnyder <chsnyder at gmail.com> wrote:
> On 6/7/06, Michael Southwell <michael.southwell at nyphp.org> wrote:
> > At 08:09 PM 6/7/2006, you wrote:
> > >When I try to write the new php file it fails because it has no
> > >permissions to create
> > >a file in the web directory.  No httpd is being run by use nobody and
> > >the file itself is
> > >own by root.
> > >
> > >Why can I create php file on this directory?
> >
> > You just said yourself why you can't:  because your script has no
> > write permissions.  chmod the target directory to 777 and you will be
> > able to write to it. Alas, so will anybody else, so there is a
> > certain security risk involved here.  Only you can decide whether the
> > ability to write is worth the risk that others can also.  (You might
> > however consider writing to somewhere outside the web directory if
> > that is possible in your context.)
> >
> >
> > Michael Southwell, Vice President for Education
> > New York PHP
> > http://www.nyphp.com/training - In-depth PHP Training Courses
> >
>
> My jaw hit the desk on this one, guys. Do not allow the webserver to
> create php scripts, under any circumstances ever. It's just asking for
> trouble.
>
> Abstract the data (job listings) into a text file or sqlite database
> and give the webserver password protected write access to that. Or use
> a .csv file and edit the records by hand using Excel or EditGrid.com.
>
> If you need to create world-writeable directories for uploaded files
> (and you _do_ need them sometimes), you should also take steps (via
> Apache config or .htaccess) that php scripts residing in those
> directories cannot be executed.
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> New York PHP Conference and Expo 2006
> http://www.nyphpcon.com
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>



More information about the talk mailing list