Reading and writing files in PHP
Hello, I have a question about how PHP handles multiple file reads/ writes. I made a page containing a self-submitting form where the user can type his name, topic and a text. When he submits the form, PHP reads the .php file in a variable. It then processes it: adds the user comments to the var and writes the modified file back to disk. Next time the user opens the page (s)he sees te comments (s)he and others added. So what I have is a very simple 'Blog' without using a database. The ..php file is modifying itself every time a user submits something. Questions > What happens when 2 (or more) user simultaneously submit this form? > What happens when user A submits a form and _while_ the server is processing the file (not having written yet the modifies file) user B submits his form? > What happens when multiple users submit a form while the server is processing a submit? > Does PHP keep track of who's first or do I have to build a locking mechanism to secure things? > What are other pitfalls and security related issues using this approach I oversee? This is just curiosity - I am not planning to create a fill fledged ssystem using this technique. Just wondering, learning server side webscripting. Thanks a lot, Marc
meelzooi2000
comp.lang.php
32646 articles. 
0 followers.
2 Replies
953 Views
Similar Articles"Marc" <meelzooi2000@yahoo.com> wrote in message news:acad69df.0309010758.2de3fef5@posting.google.com... > Hello, > I have a question about how PHP handles multiple file reads/ writes. > I made a page containing a self-submitting form where the user can > type his name, topic and a text. When he submits the form, PHP reads > the .php file in a variable. It then processes it: adds the user > comments to the var and writes the modified file back to disk. Next > time the user opens the page (s)he sees te comments (s)he and others > added. > So what I have is a very simple 'Blog' without using a database. The > .php file is modifying itself every time a user submits something. > > Questions > > What happens when 2 (or more) user simultaneously submit this form? > > What happens when user A submits a form and _while_ the server is processing the file (not having written yet the modifies file) user B submits his form? > > What happens when multiple users submit a form while the server is processing a submit? > > Does PHP keep track of who's first or do I have to build a locking mechanism to secure things? Try a simple flock() to prevent multiple users from overwriting the file, this will give you better concurrency (but not perfect). Read up on the flock function in the PHP manual. I was under the impression it worked only on *nix boxs, but seems it may also work on 2000/Xp/Nt with NTFS. > > What are other pitfalls and security related issues using this approach I oversee? A major problem is code injection. Anybody can enter PHP code into the input box on the submit form, then you save it to you php file, and it gets executed, allowing my to execute arbitrary code on your server. What will happen: At your form, I enter: Text: [ <?php phpinfo(); ?> ] If your file (blog.php) you have: Jane: Yo! Bob: Hallo world!!! And after my form submission it becomes: Jane: Yo! Bob: Hallo world!!! <?php phpinfo(); ?> so now of course, when I reopen it, ... http://www.yourdomain.com/blog.php it executes phpinfo() and reports your system configuration back to me. Very useful, and of course the attacks can get much worse, I can execute any php code I like, so I can do anything!! One option here is to make you "blog" page a static html, i..e give it a ..html extension and don't execute dynamic code in it. If you have to execute code in it for other purposes, make sure you at least strip away all possible php code tags, that is <?, <?php, <?=, <%, <%=, %> and ?> Thanks Mark --------------------------------------------------------------------------- Windows, Linux and Internet Development Consultant Email: corporate@scriptsmiths.com Web: http://www.scriptsmiths.com --------------------------------------------------------------------------- > > This is just curiosity - I am not planning to create a fill fledged > ssystem using this technique. Just wondering, learning server side > webscripting. > > Thanks a lot, > > Marc
corporate"Mark Hewitt" <corporate@scriptsmiths.com> wrote in message news:<3f5431ea$0$64719@hades.is.co.za>... > "Marc" <meelzooi2000@yahoo.com> wrote in message > news:acad69df.0309010758.2de3fef5@posting.google.com... > > Hello, > > I have a question about how PHP handles multiple file reads/ writes. > > I made a page containing a self-submitting form where the user can > > type his name, topic and a text. When he submits the form, PHP reads > > the .php file in a variable. It then processes it: adds the user > > comments to the var and writes the modified file back to disk. Next > > time the user opens the page (s)he sees te comments (s)he and others > > added. > > So what I have is a very simple 'Blog' without using a database. The > > .php file is modifying itself every time a user submits something. > > > > Questions > > > What happens when 2 (or more) user simultaneously submit this form? > > > What happens when user A submits a form and _while_ the server is > processing the file (not having written yet the modifies file) user B > submits his form? > > > What happens when multiple users submit a form while the server is > processing a submit? > > > Does PHP keep track of who's first or do I have to build a locking > mechanism to secure things? > > Try a simple flock() to prevent multiple users from overwriting the file, > this will give you better concurrency (but not perfect). Read up on the > flock function in the PHP manual. I was under the impression it worked only > on *nix boxs, but seems it may also work on 2000/Xp/Nt with NTFS. > > > > > What are other pitfalls and security related issues using this approach > I oversee? > > A major problem is code injection. Anybody can enter PHP code into the input > box on the submit form, then you save it to you php file, and it gets > executed, allowing my to execute arbitrary code on your server. > > What will happen: > > At your form, I enter: > Text: [ <?php phpinfo(); ?> ] > > If your file (blog.php) you have: > > Jane: Yo! > Bob: Hallo world!!! > > And after my form submission it becomes: > > Jane: Yo! > Bob: Hallo world!!! > <?php phpinfo(); ?> > > so now of course, when I reopen it, ... > http://www.yourdomain.com/blog.php > > it executes phpinfo() and reports your system configuration back to me. > Very useful, and of course the attacks can get much worse, I can execute any > php code I like, so I can do anything!! > > One option here is to make you "blog" page a static html, i..e give it a > .html extension and don't execute dynamic code in it. If you have to execute > code in it for other purposes, make sure you at least strip away all > possible php code tags, that is <?, <?php, <?=, <%, <%=, %> and ?> > > Thanks > Mark > --------------------------------------------------------------------------- > Windows, Linux and Internet Development Consultant > Email: corporate@scriptsmiths.com > Web: http://www.scriptsmiths.com > --------------------------------------------------------------------------- > > > > > > This is just curiosity - I am not planning to create a fill fledged > > ssystem using this technique. Just wondering, learning server side > > webscripting. > > > > Thanks a lot, > > > > Marc Mark, thanks for the tip. The code injection problem I solved with str_replace. I only care about php and HTML/JavaScript tags since a ..php file doesn't get parsed by a asp or cf server... It seems to work OK on this small server but then all you can do is display values in the order they are entered by successive users - nothing dynamic like sorting, categorizing etc a database allows you to. Marc