NYCPHP Meetup

[nycphp-talk] using PHP to create a php file

Nestor rotsen at gmail.com
Fri Jun 9 16:09:45 EDT 2006


I meant to say that it chmod directories and files to 755 :-)

On 6/9/06, Nestor <rotsen at gmail.com> wrote:
> Yes,  That is what I am have decided to do.  Just reading and writing
> a txt file.
> The php file just include this text file.
>
> I was having problems with the txt file until I found out that there
> was a cron job that every hour chmods the values of all the
> directories and files to non 755 under the web directory.
>
>
> Thanks,
>
> Néstor :-)
>
>
> On 6/9/06, csnyder <chsnyder at gmail.com> wrote:
> > On 6/7/06, Michael Southwell <michael.southwell at nyphp.org> wrote:
> > > At 08:09 PM 6/7/2006, you wrote:
> > > >When I try to write the new php file it fails because it has no
> > > >permissions to create
> > > >a file in the web directory.  No httpd is being run by use nobody and
> > > >the file itself is
> > > >own by root.
> > > >
> > > >Why can I create php file on this directory?
> > >
> > > You just said yourself why you can't:  because your script has no
> > > write permissions.  chmod the target directory to 777 and you will be
> > > able to write to it. Alas, so will anybody else, so there is a
> > > certain security risk involved here.  Only you can decide whether the
> > > ability to write is worth the risk that others can also.  (You might
> > > however consider writing to somewhere outside the web directory if
> > > that is possible in your context.)
> > >
> > >
> > > Michael Southwell, Vice President for Education
> > > New York PHP
> > > http://www.nyphp.com/training - In-depth PHP Training Courses
> > >
> >
> > My jaw hit the desk on this one, guys. Do not allow the webserver to
> > create php scripts, under any circumstances ever. It's just asking for
> > trouble.
> >
> > Abstract the data (job listings) into a text file or sqlite database
> > and give the webserver password protected write access to that. Or use
> > a .csv file and edit the records by hand using Excel or EditGrid.com.
> >
> > If you need to create world-writeable directories for uploaded files
> > (and you _do_ need them sometimes), you should also take steps (via
> > Apache config or .htaccess) that php scripts residing in those
> > directories cannot be executed.
> > _______________________________________________
> > New York PHP Community Talk Mailing List
> > http://lists.nyphp.org/mailman/listinfo/talk
> > New York PHP Conference and Expo 2006
> > http://www.nyphpcon.com
> > Show Your Participation in New York PHP
> > http://www.nyphp.org/show_participation.php
> >
>



More information about the talk mailing list