tags:

views:

57

answers:

3
+5  Q: 

Security implications of writing files using PHP

I'm currently trying to create a CMS using PHP, purely in the interest of education. I want the administrators to be able to create content, which will be parsed and saved on the server storage in pure HTML form to avoid the overhead that executing PHP script would incur. Unfortunately, I could only think of a few ways of doing so:

  • Setting write permission on every directory where the CMS should want to write a file. This sounds like quite a bad idea.
  • Setting write permissions on a single cached directory. A PHP script could then include or fopen/fread/echo the content from a file in the cached directory at request-time. This could perhaps be carried out in a Mediawiki-esque fashion: something like index.php?page=xyz could read and echo content from cached/xyz.html at runtime. However, I'll need to ensure the sanity of $_GET['page'] to prevent nasty variations like index.php?page=http://www.bad-site.org/malicious-script.js.

I'm personally not too thrilled by the second idea, but the first one sounds very insecure. Could someone please suggest a good way of getting this done?

EDIT: I'm not in the favour of fetching data from the database. The only time I would want to fetch data from the database would be when the content is cached. Secondly, I do not have access to memcached or any PHP accelerator.

+1  A: 

You should put your pages in a database and retrieve them using parameterized SQL queries.

SLaks  2010-04-15 01:34:05
As I mentioned above, I'm trying to cut down on the execution time of the scripts. I'm sure a trip to the database and back would be somewhat expensive! I do not have access to PHP accelerators or memcached. I suppose I'll edit that into the question too!
susmits  2010-04-15 01:37:02
+2  A: 

Since you're building a CMS, you'll have to accept that if the user wants to do evil things to visitors, they very likely can. That's true regardless of where you store your content.

If the public site is all static content, there's nothing wrong with letting the CMS write the files directly. However, you'll want to configure the web server to not execute anything in any directory writable by the CMS.

Even though you don't want to hit the database every time, you can set up a cache to minimize database reads. Zend_Cache works very nicely for this, and can be used quite effectively as a stand-alone component.

timdev  2010-04-15 01:52:38
+1 for mentioning execute permissions. However, I don't agree with your first point - you can make the editor's capabilities as retricted as you like (say by stripping javascript). Also its not just visitors you need to protect, but the integrity of your server.
CurtainDog  2010-04-15 02:08:54
Absolutely! Restrict things that make sense, but at the end of the day, the user can still make a web page that says "I am Jon Foo, brother of the recently dethroned king of Nigeria, and I need your help to transfer $42 Million to the USA..." As far as protecting the server, just make sure you're only writing files where you're allowed to write files, and don't let the web server treat anything in there as a script. I don't mean to make any of this sound trivial - a lot of careful work is called for - but it's not inherently insecure, in my estimation.
timdev  2010-04-15 02:39:03
The users doing evil things to visitors should not be a problem, I suppose, since the content will be added and cached by a trusted band of people. I was curious if the write permission on a public directory could be used by a malicious visitor as a potential vulnerability. Thanks for pointing the execute part out!I cannot really set up a cache at the moment because budget is a very crucial issue, and we'll most likely be going for a hosting plan that offers us PHP/MySQL with reasonable bandwidth and little else.
susmits  2010-04-15 08:19:11
A: 

I'd go with the second option but modify it so the files are retrieved using mod_rewrite rather than a custom php function.

CurtainDog  2010-04-15 01:59:39

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases