Hello,
I have a question about how PHP handles multiple file reads/ writes.
I made a page containing a self-submitting form where the user can
type his name, topic and a text. When he submits the form, PHP reads
the .php file in a variable. It then processes it: adds the user
comments to the var and writes the modified file back to disk. Next
time the user opens the page (s)he sees te comments (s)he and others
added.
So what I have is a very simple 'Blog' without using a database. The
..php file is modifying itself every time a user submits something.
Questions What happens when 2 (or more) user simultaneously submit this form?
What happens when user A submits a form and _while_ the server is processing the file (not having written yet the modifies file) user B submits his form?
What happens when multiple users submit a form while the server is processing a submit?
Does PHP keep track of who's first or do I have to build a locking mechanism to secure things?
What are other pitfalls and security related issues using this approach I oversee?
This is just curiosity - I am not planning to create a fill fledged
ssystem using this technique. Just wondering, learning server side
webscripting.
Thanks a lot,
Marc 2  2881 
"Marc" <me**********@yahoo.com> wrote in message
news:ac**************************@posting.google.c om... Hello,
I have a question about how PHP handles multiple file reads/ writes.
I made a page containing a self-submitting form where the user can
type his name, topic and a text. When he submits the form, PHP reads
the .php file in a variable. It then processes it: adds the user
comments to the var and writes the modified file back to disk. Next
time the user opens the page (s)he sees te comments (s)he and others
added.
So what I have is a very simple 'Blog' without using a database. The
.php file is modifying itself every time a user submits something.
Questions What happens when 2 (or more) user simultaneously submit this form?
What happens when user A submits a form and _while_ the server is
processing the file (not having written yet the modifies file) user B
submits his form? What happens when multiple users submit a form while the server is
processing a submit? Does PHP keep track of who's first or do I have to build a locking
mechanism to secure things?
Try a simple flock() to prevent multiple users from overwriting the file,
this will give you better concurrency (but not perfect). Read up on the
flock function in the PHP manual. I was under the impression it worked only
on *nix boxs, but seems it may also work on 2000/Xp/Nt with NTFS.
What are other pitfalls and security related issues using this approach
I oversee?
A major problem is code injection. Anybody can enter PHP code into the input
box on the submit form, then you save it to you php file, and it gets
executed, allowing my to execute arbitrary code on your server.
What will happen:
At your form, I enter:
Text: [ <?php phpinfo(); ?> ]
If your file (blog.php) you have:
Jane: Yo!
Bob: Hallo world!!!
And after my form submission it becomes:
Jane: Yo!
Bob: Hallo world!!!
<?php phpinfo(); ?>
so now of course, when I reopen it, ...
http://www.yourdomain.com/blog.php
it executes phpinfo() and reports your system configuration back to me.
Very useful, and of course the attacks can get much worse, I can execute any
php code I like, so I can do anything!!
One option here is to make you "blog" page a static html, i..e give it a
..html extension and don't execute dynamic code in it. If you have to execute
code in it for other purposes, make sure you at least strip away all
possible php code tags, that is <?, <?php, <?=, <%, <%=, %> and ?>
Thanks
Mark
---------------------------------------------------------------------------
Windows, Linux and Internet Development Consultant
Email: co*******@scriptsmiths.com
Web: http://www.scriptsmiths.com
---------------------------------------------------------------------------
This is just curiosity - I am not planning to create a fill fledged
ssystem using this technique. Just wondering, learning server side
webscripting.
Thanks a lot,
Marc
"Mark Hewitt" <co*******@scriptsmiths.com> wrote in message news:<3f**************@hades.is.co.za>... "Marc" <me**********@yahoo.com> wrote in message
news:ac**************************@posting.google.c om... Hello,
I have a question about how PHP handles multiple file reads/ writes.
I made a page containing a self-submitting form where the user can
type his name, topic and a text. When he submits the form, PHP reads
the .php file in a variable. It then processes it: adds the user
comments to the var and writes the modified file back to disk. Next
time the user opens the page (s)he sees te comments (s)he and others
added.
So what I have is a very simple 'Blog' without using a database. The
.php file is modifying itself every time a user submits something.
Questions What happens when 2 (or more) user simultaneously submit this form?
What happens when user A submits a form and _while_ the server is processing the file (not having written yet the modifies file) user B
submits his form? What happens when multiple users submit a form while the server is processing a submit? Does PHP keep track of who's first or do I have to build a locking mechanism to secure things?
Try a simple flock() to prevent multiple users from overwriting the file,
this will give you better concurrency (but not perfect). Read up on the
flock function in the PHP manual. I was under the impression it worked only
on *nix boxs, but seems it may also work on 2000/Xp/Nt with NTFS.
What are other pitfalls and security related issues using this approach
I oversee?
A major problem is code injection. Anybody can enter PHP code into the input
box on the submit form, then you save it to you php file, and it gets
executed, allowing my to execute arbitrary code on your server.
What will happen:
At your form, I enter:
Text: [ <?php phpinfo(); ?> ]
If your file (blog.php) you have:
Jane: Yo!
Bob: Hallo world!!!
And after my form submission it becomes:
Jane: Yo!
Bob: Hallo world!!!
<?php phpinfo(); ?>
so now of course, when I reopen it, ...
http://www.yourdomain.com/blog.php
it executes phpinfo() and reports your system configuration back to me.
Very useful, and of course the attacks can get much worse, I can execute any
php code I like, so I can do anything!!
One option here is to make you "blog" page a static html, i..e give it a
.html extension and don't execute dynamic code in it. If you have to execute
code in it for other purposes, make sure you at least strip away all
possible php code tags, that is <?, <?php, <?=, <%, <%=, %> and ?>
Thanks
Mark
---------------------------------------------------------------------------
Windows, Linux and Internet Development Consultant
Email: co*******@scriptsmiths.com
Web: http://www.scriptsmiths.com
---------------------------------------------------------------------------
This is just curiosity - I am not planning to create a fill fledged
ssystem using this technique. Just wondering, learning server side
webscripting.
Thanks a lot,
Marc
Mark,
thanks for the tip. The code injection problem I solved with
str_replace. I only care about php and HTML/JavaScript tags since a
..php file doesn't get parsed by a asp or cf server... It seems to work
OK on this small server but then all you can do is display values in
the order they are entered by successive users - nothing dynamic like
sorting, categorizing etc a database allows you to.
Marc This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: dunnm |
last post by:
This is probably a more appropriate location to post this question. I
should have know that since I've found most of the other PHP/PDF
information contained in this group.
Here's my issue...I...
|
by: Benjamin de Waal |
last post by:
Hey all,
I'm trying to figure out how to directly write to a device in Windows.
Basically, what I'm wanting to do is create an image of a device
(specifically, a CompactFlash card that uses a...
|
by: John Salerno |
last post by:
I wrote this code just to experiment with writing to and reading from a
file. It seems to work fine when writing, but when reading the file, it
only prints the filepath to the screen, not the file...
|
by: Robert Reijntjes |
last post by:
Hi,
I need to read/write data from/to binary files that have an already
defined.
This means I can't define classes with the attribute.
The files also have arrays with variable length. This...
|
by: smeenehan |
last post by:
This is a bit of a peculiar problem. First off, this relates to Python
Challenge #12, so if you are attempting those and have yet to finish
#12, as there are potential spoilers here.
I have five...
|
by: arne.muller |
last post by:
Hello,
I've come across some problems reading strucutres from binary files.
Basically I've some strutures
typedef struct {
int i;
double x;
int n;
double *mz;
|
by: Tyler |
last post by:
Hello All:
After trying to find an open source alternative to Matlab (or IDL), I
am currently getting acquainted with Python and, in particular SciPy,
NumPy, and Matplotlib. While I await the...
|
by: random guy |
last post by:
Hi,
I'm writing a program which creates an index of text files. For each
file it
processes, the program records the start and end positions (as
returned by
tellg()) of sections of interest,...
|
by: Clive Green |
last post by:
Hello peeps,
I am using PHP 5.2.2 together with MP3_Id (a PEAR module for reading and
writing MP3 tags). I have been using PHP on the command line (Mac OS X
Unix shell, to be precise), and am...
|
by: Guido Geurs |
last post by:
I'm writing a program that list the contents of a CDrom and also the contents of the ZIP files.
When there is a bad Zip file on the CD, the program keeps traying to reed the file and after +- 50...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
| |
