views:

86

answers:

3

I am creating a web application that I hope to release to the public for downloading and installing on anyone's own web server, however I just was informed that some webhosts disable the use of fopen in php due to "security issues", particularly on shared hosts. I use fopen during the installation process of the application, should I be concerned about this? Is this a common practice in shared hosts? If so, is there another way I can write to a file? I have heard of cURL, but this would require more advanced knowledge on the part of the end user, no? If so, this can obviously not be expected. Thanks very much!

+2  A: 

fopen() is never disabled. The php.ini setting "allow_url_fopen" however is. So if you only access local files, not http:// URLs via fopen() this is not really a concern.

If you need URL support you should otherwise include a HTTP request class, like the one in PEAR. This way you avoid the user-unfriendly dependency on the cURL extension module.

mario
What about creating temporary files with something such as `tempnam()`? Accessing these with `fopen()` doesn't use URLs, does it?
Ben
@Ben: No, that's safe. tempnam() creates just local files, no URLs involved either.
mario
Never say never: arbitrary functions CAN be disabled....
Wrikken
@Wrikken Agreed. Although, a host that disables all filesystem functions would be a bit too restrictive for its own good.
deceze
@deceze : indeed, no argument there.
Wrikken
@mario Thanks very much for the help! Glad I don't have to change things around.
Ben
+2  A: 

In my limited experience, fopen() is seldom disabled. Writing to a local file with curl is nonsense, so this wouldn't be an alternative. As all writing to a local file kind of depends on fopen, the most usual route for normal packages is:

  1. Trying to set the content in a file on installation (possibly a file already there with a decent default in the normal packages files).
  2. On failure, present to user with the content you'd like to set, and offer him the option to either copy/paste that content manually, or to retry to set the content (for instance, when the user sets the file permissions correctly, which you of course explain how to do).
Wrikken
+1  A: 

using cURL:

 function GET($url,$header = null,$post = 0,$cookie = null){
                    $handle = curl_init();
                        curl_setopt($handle, CURLOPT_URL, $url);
                        curl_setopt($handle, CURLOPT_HEADER, $header);
                        curl_setopt($handle, CURLOPT_FOLLOWLOCATION, true);
                        curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
                        if($post) {
                            curl_setopt($handle, CURLOPT_POST, true);
                            curl_setopt($handle, CURLOPT_CUSTOMREQUEST,($post)?"POST":"GET");
                            curl_setopt($handle, CURLOPT_POSTFIELDS, $post);
                        }
                        curl_setopt($handle, CURLOPT_COOKIE, $cookie);

                        if(preg_match('/https/',$url)) {
                            curl_setopt($handle, CURLOPT_SSL_VERIFYPEER, false);
                        }
                            return($buffer = @curl_exec($handle)) ? $buffer : 0;
                }


                //A basic example of the requisition process : 
                        echo GET('http://google.com',1)

                //post data: 

                GET('/test.php',1,
                    array('Name' => 'Jet',
                          'id' => 12,
                          'foo' => 'abc'));
                returns:
                    successfully : source-code;
                    0 : Request failed

                //send cookies : 
                GET('http://example.com/send.php',1,
                                array('Name' => 'Jet',
                                      'id' => 12,
                                        'foo' => 'abc'),"cookies");

file_put_contents : http://php.net/file_put_contents

Jet