I am creating a web application that I hope to release to the public for downloading and installing on anyone's own web server, however I just was informed that some webhosts disable the use of fopen in php due to "security issues", particularly on shared hosts. I use fopen during the installation process of the application, should I be concerned about this? Is this a common practice in shared hosts? If so, is there another way I can write to a file? I have heard of cURL, but this would require more advanced knowledge on the part of the end user, no? If so, this can obviously not be expected. Thanks very much!
views:
86answers:
3
+2
A:
fopen() is never disabled. The php.ini setting "allow_url_fopen" however is. So if you only access local files, not http:// URLs via fopen() this is not really a concern.
If you need URL support you should otherwise include a HTTP request class, like the one in PEAR. This way you avoid the user-unfriendly dependency on the cURL extension module.
mario
2010-07-15 01:04:00
What about creating temporary files with something such as `tempnam()`? Accessing these with `fopen()` doesn't use URLs, does it?
Ben
2010-07-15 01:10:29
@Ben: No, that's safe. tempnam() creates just local files, no URLs involved either.
mario
2010-07-15 02:05:22
Never say never: arbitrary functions CAN be disabled....
Wrikken
2010-07-15 02:31:38
@Wrikken Agreed. Although, a host that disables all filesystem functions would be a bit too restrictive for its own good.
deceze
2010-07-15 03:20:27
@deceze : indeed, no argument there.
Wrikken
2010-07-15 12:37:30
@mario Thanks very much for the help! Glad I don't have to change things around.
Ben
2010-07-16 20:35:53
+2
A:
In my limited experience, fopen() is seldom disabled. Writing to a local file with curl is nonsense, so this wouldn't be an alternative. As all writing to a local file kind of depends on fopen, the most usual route for normal packages is:
- Trying to set the content in a file on installation (possibly a file already there with a decent default in the normal packages files).
- On failure, present to user with the content you'd like to set, and offer him the option to either copy/paste that content manually, or to retry to set the content (for instance, when the user sets the file permissions correctly, which you of course explain how to do).
Wrikken
2010-07-15 01:09:48
+1
A:
using cURL:
function GET($url,$header = null,$post = 0,$cookie = null){
$handle = curl_init();
curl_setopt($handle, CURLOPT_URL, $url);
curl_setopt($handle, CURLOPT_HEADER, $header);
curl_setopt($handle, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
if($post) {
curl_setopt($handle, CURLOPT_POST, true);
curl_setopt($handle, CURLOPT_CUSTOMREQUEST,($post)?"POST":"GET");
curl_setopt($handle, CURLOPT_POSTFIELDS, $post);
}
curl_setopt($handle, CURLOPT_COOKIE, $cookie);
if(preg_match('/https/',$url)) {
curl_setopt($handle, CURLOPT_SSL_VERIFYPEER, false);
}
return($buffer = @curl_exec($handle)) ? $buffer : 0;
}
//A basic example of the requisition process :
echo GET('http://google.com',1)
//post data:
GET('/test.php',1,
array('Name' => 'Jet',
'id' => 12,
'foo' => 'abc'));
returns:
successfully : source-code;
0 : Request failed
//send cookies :
GET('http://example.com/send.php',1,
array('Name' => 'Jet',
'id' => 12,
'foo' => 'abc'),"cookies");
file_put_contents : http://php.net/file_put_contents
Jet
2010-07-15 01:35:22