ID: 23956 Updated by: [EMAIL PROTECTED] Reported By: markus at scherner dot de Status: Bogus Bug Type: Filesystem function related Operating System: win nt, win xp, unix PHP Version: 4.3.2 New Comment:
#1) The path you are attempting to write does not (probably anyway) exist. Here's why: You pass: "mail/localmail/[EMAIL PROTECTED]" to fopen and tell it to write in the include path. The include path includes, among other locations: /www/casyincs/mail/localmail Adding the includepath to the file requested gives: /www/casyincs/mail/localmail/mail/localmail/[EMAIL PROTECTED] Notice how the file provided to fopen is seen as a relative path to the include path. So of course it can't write to the file, the directory /www/casyincs/mail/localmail/mail/localmail doesn't exist. None of the other path locations leads to a legitimate location either so the write fails. #2) For boolean options, try to use TRUE rather than merely a value which evaluates to true. #3) Using the include path with a write is supported because there could be legitimate uses for it (though essoteric ones). It is however, discouraged because it becomes very easy for the unwary programmer to create a situation wherein system files are overwritten because one of the included paths matches the path passed to fopen and consequently system files are overwritten. Now, imagine a malicious user finding such a vulnerability in your code, he submits data which results in a PEAR class being overwritten with code which, in turn, compromises the integrity of your system as a whole. In general, because you already know the path where you want to create your file, using the include_path option only serves to expose you to unpredictable behavior (as you've already seen) without adding to your functionality. That said, your script probably worked earlier, not because of the version, but because you had '.' (current directory)included in your path. Previous Comments: ------------------------------------------------------------------------ [2003-06-02 12:54:53] markus at scherner dot de I know this very well and I use the function in this example only for own testings which are not official assignable. When it is so risky that way you mean, why is the parameter [in include path] supported for this function? And more, why does it work in 4.3.0 and not in 4.3.2 ? ------------------------------------------------------------------------ [2003-06-02 09:33:05] [EMAIL PROTECTED] writing to a file in the include path will give undefined results and is a potential security risk. As such we do not support it, and you might find that attempting to use fopen() in this way will raise a warning in PHP 5. ------------------------------------------------------------------------ [2003-06-02 08:19:51] markus at scherner dot de Hey everybody. Today updated php on my local system (win nt) from 4.3.0 to 4.3.2. Now the function fopen() gives me an error, when I will write a file within the include path. In the version before, this error does not exist. I am using following syntax: $fp = fopen($maildir.$localmaildir.microstamp().'_'.$email.'.txt',"w",1); remark for you: the include-path is set before to a path outside the htdocs-dir. The command fopen (see above) is called from a function which is included within the script, the var $maildir.$localmaildir is a dir within the includedir and all works fine until the update, so it must be a bug (or it was a bug before and I lived with the bug as well :-) ). The error output is: fopen(mail/localmail/[EMAIL PROTECTED]): failed to open stream: No such file or directory in c:\www\casyincs\functions.php on line 1182 The pathes are: www\casyincs (include dir) www\casyincs\functions.php (includefile with the command) www\casyincs\mail\localmail (in this dir have to be saved the file www\htdocs\index.php (web-directory with executing script) Hoping for an answer, best regards and thankyou for a wonderfull powerfull programming language!!! best regards Markus ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=23956&edit=1
