Security implications of writing files using PHP

Posted by susmits on Stack Overflow See other posts from Stack Overflow or by susmits
Published on 2010-04-15T01:31:13Z Indexed on 2010/04/15 1:33 UTC
Read the original article Hit count: 353

Filed under:
|
|
|

I'm currently trying to create a CMS using PHP, purely in the interest of education. I want the administrators to be able to create content, which will be parsed and saved on the server storage in pure HTML form to avoid the overhead that executing PHP script would incur. Unfortunately, I could only think of a few ways of doing so:

  • Setting write permission on every directory where the CMS should want to write a file. This sounds like quite a bad idea.
  • Setting write permissions on a single cached directory. A PHP script could then include or fopen/fread/echo the content from a file in the cached directory at request-time. This could perhaps be carried out in a Mediawiki-esque fashion: something like index.php?page=xyz could read and echo content from cached/xyz.html at runtime. However, I'll need to ensure the sanity of $_GET['page'] to prevent nasty variations like index.php?page=http://www.bad-site.org/malicious-script.js.

I'm personally not too thrilled by the second idea, but the first one sounds very insecure. Could someone please suggest a good way of getting this done?

© Stack Overflow or respective owner

Related posts about php

Related posts about caching