Security implications of writing files using PHP
Posted
by susmits
on Stack Overflow
See other posts from Stack Overflow
or by susmits
Published on 2010-04-15T01:31:13Z
Indexed on
2010/04/15
1:33 UTC
Read the original article
Hit count: 353
I'm currently trying to create a CMS using PHP, purely in the interest of education. I want the administrators to be able to create content, which will be parsed and saved on the server storage in pure HTML form to avoid the overhead that executing PHP script would incur. Unfortunately, I could only think of a few ways of doing so:
- Setting write permission on every directory where the CMS should want to write a file. This sounds like quite a bad idea.
- Setting write permissions on a single
cached
directory. A PHP script could theninclude
orfopen/fread/echo
the content from a file in thecached
directory at request-time. This could perhaps be carried out in a Mediawiki-esque fashion: something likeindex.php?page=xyz
could read and echo content fromcached/xyz.html
at runtime. However, I'll need to ensure the sanity of$_GET['page']
to prevent nasty variations likeindex.php?page=http://www.bad-site.org/malicious-script.js
.
I'm personally not too thrilled by the second idea, but the first one sounds very insecure. Could someone please suggest a good way of getting this done?
© Stack Overflow or respective owner