f



Reading and writing files in PHP

Hello,
I have a question about how PHP handles multiple file reads/ writes.
I made a page containing a self-submitting form where the user can
type his name, topic and a text. When he submits the form, PHP reads
the .php file in a variable. It then processes it: adds the user
comments to the var and writes the modified file back to disk. Next
time the user opens the page (s)he sees te comments (s)he and others
added.
So what I have is a very simple 'Blog' without using a database. The
..php file is modifying itself every time a user submits something.

Questions
> What happens when 2 (or more) user simultaneously submit this form?
> What happens when user A submits a form and _while_ the server is processing the file (not having written yet the modifies file) user B submits his form?
> What happens when multiple users submit a form while the server is processing a submit?
> Does PHP keep track of who's first or do I have to build a locking mechanism to secure things?
> What are other pitfalls and security related issues using this approach I oversee?

This is just curiosity - I am not planning to create a fill fledged
ssystem using this technique. Just wondering, learning server side
webscripting.

Thanks a lot,

Marc
0
9/1/2003 3:58:24 PM
comp.lang.php 32646 articles. 0 followers. Post Follow

2 Replies
953 Views

Similar Articles

[PageSpeed] 18

"Marc" <meelzooi2000@yahoo.com> wrote in message
news:acad69df.0309010758.2de3fef5@posting.google.com...
> Hello,
> I have a question about how PHP handles multiple file reads/ writes.
> I made a page containing a self-submitting form where the user can
> type his name, topic and a text. When he submits the form, PHP reads
> the .php file in a variable. It then processes it: adds the user
> comments to the var and writes the modified file back to disk. Next
> time the user opens the page (s)he sees te comments (s)he and others
> added.
> So what I have is a very simple 'Blog' without using a database. The
> .php file is modifying itself every time a user submits something.
>
> Questions
> > What happens when 2 (or more) user simultaneously submit this form?
> > What happens when user A submits a form and _while_ the server is
processing the file (not having written yet the modifies file) user B
submits his form?
> > What happens when multiple users submit a form while the server is
processing a submit?
> > Does PHP keep track of who's first or do I have to build a locking
mechanism to secure things?

Try a simple flock()  to prevent multiple users from overwriting the file,
this will give you better concurrency (but not perfect). Read up on the
flock function in the PHP manual. I was under the impression it worked only
on *nix boxs, but seems it may also work on 2000/Xp/Nt with NTFS.


> > What are other pitfalls and security related issues using this approach
I oversee?

A major problem is code injection. Anybody can enter PHP code into the input
box on the submit form, then you save it to you php file, and it gets
executed, allowing my to execute arbitrary code on your server.

What will happen:

At your form, I enter:
Text: [ <?php phpinfo(); ?>  ]

If your file (blog.php) you have:

Jane: Yo!
Bob: Hallo world!!!

And after my form submission it becomes:

Jane: Yo!
Bob: Hallo world!!!
<?php phpinfo(); ?>

so now of course, when I reopen it, ...
http://www.yourdomain.com/blog.php

it executes phpinfo() and reports your system configuration back to me.
Very useful, and of course the attacks can get much worse, I can execute any
php code I like, so I can do anything!!

One option here is to make you "blog" page a static html, i..e give it a
..html extension and don't execute dynamic code in it. If you have to execute
code in it for other purposes, make sure you at least strip away all
possible php code tags, that is <?, <?php, <?=, <%, <%=, %> and ?>

Thanks
Mark
---------------------------------------------------------------------------
Windows, Linux and Internet Development Consultant
Email: corporate@scriptsmiths.com
Web: http://www.scriptsmiths.com
---------------------------------------------------------------------------


>
> This is just curiosity - I am not planning to create a fill fledged
> ssystem using this technique. Just wondering, learning server side
> webscripting.
>
> Thanks a lot,
>
> Marc




0
corporate (16)
9/2/2003 6:03:28 AM
"Mark Hewitt" <corporate@scriptsmiths.com> wrote in message news:<3f5431ea$0$64719@hades.is.co.za>...
> "Marc" <meelzooi2000@yahoo.com> wrote in message
> news:acad69df.0309010758.2de3fef5@posting.google.com...
> > Hello,
> > I have a question about how PHP handles multiple file reads/ writes.
> > I made a page containing a self-submitting form where the user can
> > type his name, topic and a text. When he submits the form, PHP reads
> > the .php file in a variable. It then processes it: adds the user
> > comments to the var and writes the modified file back to disk. Next
> > time the user opens the page (s)he sees te comments (s)he and others
> > added.
> > So what I have is a very simple 'Blog' without using a database. The
> > .php file is modifying itself every time a user submits something.
> >
> > Questions
> > > What happens when 2 (or more) user simultaneously submit this form?
> > > What happens when user A submits a form and _while_ the server is
> processing the file (not having written yet the modifies file) user B
> submits his form?
> > > What happens when multiple users submit a form while the server is
>  processing a submit?
> > > Does PHP keep track of who's first or do I have to build a locking
> mechanism to secure things?
> 
> Try a simple flock()  to prevent multiple users from overwriting the file,
> this will give you better concurrency (but not perfect). Read up on the
> flock function in the PHP manual. I was under the impression it worked only
> on *nix boxs, but seems it may also work on 2000/Xp/Nt with NTFS.
> 
> 
> > > What are other pitfalls and security related issues using this approach
> I oversee?
> 
> A major problem is code injection. Anybody can enter PHP code into the input
> box on the submit form, then you save it to you php file, and it gets
> executed, allowing my to execute arbitrary code on your server.
> 
> What will happen:
> 
> At your form, I enter:
> Text: [ <?php phpinfo(); ?>  ]
> 
> If your file (blog.php) you have:
> 
> Jane: Yo!
> Bob: Hallo world!!!
> 
> And after my form submission it becomes:
> 
> Jane: Yo!
> Bob: Hallo world!!!
> <?php phpinfo(); ?>
> 
> so now of course, when I reopen it, ...
> http://www.yourdomain.com/blog.php
> 
> it executes phpinfo() and reports your system configuration back to me.
> Very useful, and of course the attacks can get much worse, I can execute any
> php code I like, so I can do anything!!
> 
> One option here is to make you "blog" page a static html, i..e give it a
> .html extension and don't execute dynamic code in it. If you have to execute
> code in it for other purposes, make sure you at least strip away all
> possible php code tags, that is <?, <?php, <?=, <%, <%=, %> and ?>
> 
> Thanks
> Mark
> ---------------------------------------------------------------------------
> Windows, Linux and Internet Development Consultant
> Email: corporate@scriptsmiths.com
> Web: http://www.scriptsmiths.com
> ---------------------------------------------------------------------------
> 
> 
> >
> > This is just curiosity - I am not planning to create a fill fledged
> > ssystem using this technique. Just wondering, learning server side
> > webscripting.
> >
> > Thanks a lot,
> >
> > Marc


Mark,

thanks for the tip. The code injection problem I solved with
str_replace. I only care about php and HTML/JavaScript tags since a
..php file doesn't get parsed by a asp or cf server... It seems to work
OK on this small server but then all you can do is display values in
the order they are entered by successive users - nothing dynamic like
sorting, categorizing etc a database allows you to.

Marc
0
9/2/2003 4:39:42 PM
Reply: