Writing to .php file, not .txt

Forum Moderators: coopster

Message Too Old, No Replies

Writing to .php file, not .txt

How reliable?

Patrick Taylor

11:24 pm on Jan 11, 2013 (gmt 0)

I want to be able create new .php files from a form with:

touch
fopen
fwrite
fclose

It works on my server. My new .php file content begins with <?php and ends with ?> as it should, and the coding is in correctly, all as sent by the form. I know it's more normal to write to a .txt file so I'm wondering how reliable writing .php files is on all servers (not just mine).

coopster

9:34 pm on Jan 20, 2013 (gmt 0)

Boy oh boy are you opening the door to get hacked by allowing this type of action. I would never allow this, period. First, what exactly is it you are attempting to accomplish? Perhaps there is a better solution.

Patrick Taylor

10:34 pm on Jan 20, 2013 (gmt 0)

Thanks for the reply. I have built a small flat file CMS that creates new pages using a password protected form. Each 'page' consists of a text file (the content) and a .php file (the output script). It has worked well for me for a number of years. However, the CMS is available to anyone who wants to download the scripts. I have seen some examples of websites other people have created with my system but I have no way of knowing whether it is reliable on all servers (Apache only). In other words, will the system work for everyone?

I hope that explains the reason for the question. I was wondering if 'touch', 'fwrite' etc can write any type of file in addition to text files and to what extent some Apache servers might impose restrictions on writing certain types. One example is .htaccess.

coopster

11:00 pm on Jan 20, 2013 (gmt 0)

You can set permissions to read/write/execute however you wish for whatever file extension types you wish, including per-directory override files (.htaccess). But, as I said, this is a very scary practice.

Patrick Taylor

11:40 pm on Jan 20, 2013 (gmt 0)

The admin has to be able to write files from a form on a password protected page. It's the only way my CMS can work. If someone hacks past the password protection they can delete the whole website, I realise that (the same applies to WordPress). What I am trying to understand is whether a valid user will always be able to write new files to the server without setting up any special permissions.

penders

2:53 pm on Jan 22, 2013 (gmt 0)

I was wondering if 'touch', 'fwrite' etc can write any type of file in addition to text files and to what extent some Apache servers might impose restrictions on writing certain types. One example is .htaccess.

PHP files are text files and they don't necessarily need to have a .php file extension to be parsed by PHP so I don't see why a server would impose any kind of write restriction on these files (other than changing the usual file perms).

The other problem with writing directly to PHP files is that if anything invalid should get written that results in a fatal (untrappable) parse error when the file is later included then your system breaks.

One example is .htaccess.

Does Apache impose additional restrictions on writing to .htaccess?

swa66

2:59 pm on Jan 22, 2013 (gmt 0)

I feel allowing the user running the httpd write acces to you docroot is asking for trouble.

Patrick Taylor

5:43 pm on Jan 22, 2013 (gmt 0)

PHP files are text files...

That's the answer I was looking for. Thanks.