By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
425,606 Members | 2,016 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 425,606 IT Pros & Developers. It's quick & easy.

Reading and writing files in PHP

P: n/a
Hello,
I have a question about how PHP handles multiple file reads/ writes.
I made a page containing a self-submitting form where the user can
type his name, topic and a text. When he submits the form, PHP reads
the .php file in a variable. It then processes it: adds the user
comments to the var and writes the modified file back to disk. Next
time the user opens the page (s)he sees te comments (s)he and others
added.
So what I have is a very simple 'Blog' without using a database. The
..php file is modifying itself every time a user submits something.

Questions
What happens when 2 (or more) user simultaneously submit this form?
What happens when user A submits a form and _while_ the server is processing the file (not having written yet the modifies file) user B submits his form?
What happens when multiple users submit a form while the server is processing a submit?
Does PHP keep track of who's first or do I have to build a locking mechanism to secure things?
What are other pitfalls and security related issues using this approach I oversee?


This is just curiosity - I am not planning to create a fill fledged
ssystem using this technique. Just wondering, learning server side
webscripting.

Thanks a lot,

Marc
Jul 16 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a

"Marc" <me**********@yahoo.com> wrote in message
news:ac**************************@posting.google.c om...
Hello,
I have a question about how PHP handles multiple file reads/ writes.
I made a page containing a self-submitting form where the user can
type his name, topic and a text. When he submits the form, PHP reads
the .php file in a variable. It then processes it: adds the user
comments to the var and writes the modified file back to disk. Next
time the user opens the page (s)he sees te comments (s)he and others
added.
So what I have is a very simple 'Blog' without using a database. The
.php file is modifying itself every time a user submits something.

Questions
What happens when 2 (or more) user simultaneously submit this form?
What happens when user A submits a form and _while_ the server is processing the file (not having written yet the modifies file) user B
submits his form? What happens when multiple users submit a form while the server is processing a submit? Does PHP keep track of who's first or do I have to build a locking mechanism to secure things?

Try a simple flock() to prevent multiple users from overwriting the file,
this will give you better concurrency (but not perfect). Read up on the
flock function in the PHP manual. I was under the impression it worked only
on *nix boxs, but seems it may also work on 2000/Xp/Nt with NTFS.

What are other pitfalls and security related issues using this approach
I oversee?

A major problem is code injection. Anybody can enter PHP code into the input
box on the submit form, then you save it to you php file, and it gets
executed, allowing my to execute arbitrary code on your server.

What will happen:

At your form, I enter:
Text: [ <?php phpinfo(); ?> ]

If your file (blog.php) you have:

Jane: Yo!
Bob: Hallo world!!!

And after my form submission it becomes:

Jane: Yo!
Bob: Hallo world!!!
<?php phpinfo(); ?>

so now of course, when I reopen it, ...
http://www.yourdomain.com/blog.php

it executes phpinfo() and reports your system configuration back to me.
Very useful, and of course the attacks can get much worse, I can execute any
php code I like, so I can do anything!!

One option here is to make you "blog" page a static html, i..e give it a
..html extension and don't execute dynamic code in it. If you have to execute
code in it for other purposes, make sure you at least strip away all
possible php code tags, that is <?, <?php, <?=, <%, <%=, %> and ?>

Thanks
Mark
---------------------------------------------------------------------------
Windows, Linux and Internet Development Consultant
Email: co*******@scriptsmiths.com
Web: http://www.scriptsmiths.com
---------------------------------------------------------------------------


This is just curiosity - I am not planning to create a fill fledged
ssystem using this technique. Just wondering, learning server side
webscripting.

Thanks a lot,

Marc



Jul 16 '05 #2

P: n/a
"Mark Hewitt" <co*******@scriptsmiths.com> wrote in message news:<3f**************@hades.is.co.za>...
"Marc" <me**********@yahoo.com> wrote in message
news:ac**************************@posting.google.c om...
Hello,
I have a question about how PHP handles multiple file reads/ writes.
I made a page containing a self-submitting form where the user can
type his name, topic and a text. When he submits the form, PHP reads
the .php file in a variable. It then processes it: adds the user
comments to the var and writes the modified file back to disk. Next
time the user opens the page (s)he sees te comments (s)he and others
added.
So what I have is a very simple 'Blog' without using a database. The
.php file is modifying itself every time a user submits something.

Questions
What happens when 2 (or more) user simultaneously submit this form?
What happens when user A submits a form and _while_ the server is processing the file (not having written yet the modifies file) user B
submits his form? What happens when multiple users submit a form while the server is processing a submit? Does PHP keep track of who's first or do I have to build a locking mechanism to secure things?

Try a simple flock() to prevent multiple users from overwriting the file,
this will give you better concurrency (but not perfect). Read up on the
flock function in the PHP manual. I was under the impression it worked only
on *nix boxs, but seems it may also work on 2000/Xp/Nt with NTFS.

What are other pitfalls and security related issues using this approach

I oversee?

A major problem is code injection. Anybody can enter PHP code into the input
box on the submit form, then you save it to you php file, and it gets
executed, allowing my to execute arbitrary code on your server.

What will happen:

At your form, I enter:
Text: [ <?php phpinfo(); ?> ]

If your file (blog.php) you have:

Jane: Yo!
Bob: Hallo world!!!

And after my form submission it becomes:

Jane: Yo!
Bob: Hallo world!!!
<?php phpinfo(); ?>

so now of course, when I reopen it, ...
http://www.yourdomain.com/blog.php

it executes phpinfo() and reports your system configuration back to me.
Very useful, and of course the attacks can get much worse, I can execute any
php code I like, so I can do anything!!

One option here is to make you "blog" page a static html, i..e give it a
.html extension and don't execute dynamic code in it. If you have to execute
code in it for other purposes, make sure you at least strip away all
possible php code tags, that is <?, <?php, <?=, <%, <%=, %> and ?>

Thanks
Mark
---------------------------------------------------------------------------
Windows, Linux and Internet Development Consultant
Email: co*******@scriptsmiths.com
Web: http://www.scriptsmiths.com
---------------------------------------------------------------------------


This is just curiosity - I am not planning to create a fill fledged
ssystem using this technique. Just wondering, learning server side
webscripting.

Thanks a lot,

Marc

Mark,

thanks for the tip. The code injection problem I solved with
str_replace. I only care about php and HTML/JavaScript tags since a
..php file doesn't get parsed by a asp or cf server... It seems to work
OK on this small server but then all you can do is display values in
the order they are entered by successive users - nothing dynamic like
sorting, categorizing etc a database allows you to.

Marc
Jul 16 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.