> How is it, if I would create the file itself from the php-script itself?

To do *that* you need world-writable permissions on the DIRECTORY to create
files inside of it.

That means any other user on your computer can *also* create any files they
like in that directory.

> Would I be able to read the file next time it is called from the website?

If that directory is in your web tree, yes, the file would then be

Along with any other files your co-users have decided to throw into your

This is probably worse than having a single world-writable file. :-(

Constructive Suggestions:
Move the file[s] *OUT* of the web tree.  If you want them visible to the
outside world, write a PHP script to display the non-web files.

As each file is created, record it in your DB, and only allow the display of
files in your DB.  Now a hacker needs to create a file in that direcotry
*AND* hack your DB to mess up your web-site.

Check the contents of the files before you display them.  Odds are pretty
good that there are all sorts of things you can check to be sure the files
you have "look" like they should.  Page yourself with a 911 if a suspicious
file shows up.

Give the files (and their containing directory) the *MINIMUM* permissions
required to make it all work.  No eXecute.  No user-readable/writable.
*ONLY* the world readable/writable.  Or, if you control the server, change
that around and make the files owned by "nobody" and *ONLY* user

Run a cron job to "chmod 006 *" (or whatever you chose above) on that
directory every few minutes, so if a hacker manages to force a bad file in
there, you'll make it less usable.

Run a cron job every once in a while to check that every file in the DB has
a file in the directory and vice-versa.  Page yourself if files appear
mysteriously.  So no file can get added in either place alone without
setting off an alarm.

Actually, you'll need to be careful that no false alarms happen in the midst
of files being added...  So, do the INSERT into your DB before the copy(),
timestamp the insertion, and don't alarm for any file added to the DB but
not the directory in the past minute or two.

This is hardly rock-solid, and any reasonably intelligent malicious user
sharing your machine will eventually be able to figure out how to mess you
up, but is closer to "acceptable risk" than world-writable files laying
around in your web tree.

Hopefully, though, your pro-active measures will have you catching them in
the act of trying to figure out how to break in, rather than them catching
you with your pants down.

The idea is to keep a very, very close eye on what goes in there, and be
sure it's what is *supposed* to be there.

All this won't stop a determined, smart hacker.  But it will catch the
script-kiddies and wannabes.

Disclaimer:  I'm no security expert...

WARNING [EMAIL PROTECTED] address is an endangered species -- Use
Wanna help me out?  Like Music?  Buy a CD: http://l-i-e.com/artists.htm
Volunteer a little time: http://chatmusic.com/volunteer.htm

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to