PHP HelpPHP Help

Online Community that helps beginners learn PHP,
and webmasters solve PHP coding problems

since 1999

Basics of the Configuration File

Security Concerns

Anytime you create or write an operating system file from a web based form and script combination, you must consider how secure it is. There is potential for abuse if users can write files all over the place.

First, you should be sure that the path to the configuration file is hardwired into the script. Never let the user define this path directly from the form input. If you do have a need for the user to select from a number of configuration files, select them from an array of allowed paths. The form should only allow the users to indicate which path they are selecting, for example, by an option number obtained from a drop down menu.

Second, you should be sure the configuration file is not writeable by anyone on the net. It should be writeable only by the owner and any script granted access to the filesystem.

If PHP is not running under your user id, then you will have to have the user manually make the file world writeable until the new file is written out, then have them manually change the permissions so it not world writeable.

Third, I suggest user input be run through a function that strips any HTML tags, SSI includes, Unix system characters or commands before writing the configuration out. You may need to allow some of these given the purpose of the input. For example, if the input is for a snippet of HTML (you still want to be careful, because submitting a bit of JavaScript could wreak havoc if displayed in your browser and a snippet of PHP code could also do harm).

Pages:  1   2   3   4Related Forum Topics   |   More Tutorials »

Copyright © 2017