Safe Config.php files

Forum Moderators: coopster

Message Too Old, No Replies

Safe Config.php files

What to replace - any built-in functions?

vincevincevince

12:45 pm on Mar 27, 2007 (gmt 0)

It's common for a script to take in some user input, and then write it into a config.php file which will be used for future script executions. This can be a security risk.

Things such as?>, <?, ' and ", as well as HEREDOC syntax can play havoc with the config.php file.

How do you sanitise things so that they only result in the string themselves when placed between ' ' marks in a file?

i.e. if $language is a user supplied variable, and I write into config.php:


$fh=fopen("config.php","w");
fwrite($fh,"\$language='$language');

What steps should I take first to ensure that this is safe? I am painfully aware that <? and?> can be parsed even within a string!

mcibor

1:21 pm on Mar 27, 2007 (gmt 0)

I usually accept, that config file can only be modified once on install and put into measure only safety regarding the quotes.
But if you require you could use str_replace for such occurences.

Eg change <? to <? etc.

Michal

vincevincevince

2:40 pm on Mar 27, 2007 (gmt 0)

I could do a list of str_replace() but I'm worried I'd miss some things of which I'm not aware. Can anyone help here?

The reason I am concerned is that I am providing a hosted service which users will be able to configure themselves. To save database use, I want to write the configuration settings to a flat file and include it directly with PHP. I cannot control what the users type in the configuration file - so I want to sanitise it.

Are there better solutions which still avoid having to read the database for configuration with each page load?

henry0

4:06 pm on Mar 27, 2007 (gmt 0)

Aside PW and UN could you pre-define via DD boxes a bunch of parameters
then using a switch you could verify that the input is the expected one