Jump to content

PHP5 Security Block!!


justlukeyou

Recommended Posts

I had a website running a XML script which worked perfectly but I have updated it by using XMLReader and PHP 5. However, there is a security update on PHP 5 which prevents me from accessing files on my server.

 

Someone has suggested I add a php.ini file with the following:

 

allow_url_fopen = on

 

allow_url_include = on

 

However I have also read that the whole purpose of the security update is to prevent this. Can someone advise me how I can get around this issue so that my server can read files and still operate by the PHP5 security update.

 

Any help would be greatly appreciated.

 

Link to comment
Share on other sites

Thanks,

 

My page reads this.  "URL file-access is disabled in the server configuration"

 

I have found this but it relates to include which works: http://www.learnphponline.com/errors/url-file-access-is-disabled-in-the-server-configuration

 

I have in a few places that you shouldn't switch the option on because it cancels the securiry measure.

Link to comment
Share on other sites

Thats great thanks, how do I do that?

 

I have set up a htaccess file to tell it to upgrade to PHP5.  My host requested me to do this.

 

But I can not include pages in that same folder.  So do I need to add something to the htaccess file.

 

Do I add this: allow_url_fopen = on to that .htaccess file?

Link to comment
Share on other sites

php_flag allow_url_fopen on

 

I have set up a htaccess file to tell it to upgrade to PHP5.  My host requested me to do this.

If you are on a shared hosting package then you would never have access to the php.ini configuration file. Also the host may lock down the configuration changes that you can make through your .htaccess.

 

Shared server hosting is very restrictive.

Link to comment
Share on other sites

Hi,

 

I have got it reading the document without having it on.  As per this page: http://www.learnphponline.com/errors/url-file-access-is-disabled-in-the-server-configuration

 

I dont understand, if the designers of PHP set a default off for security reasons why would you switch it on?

 

Because if you want external scripts (on other servers) to include scripts from your server it must be set to on. You can see where the security issues are in this. In your case, if the file is on the server where your web script is you should not be accessing files through a url. You should use the absolute path to the file i.e

$xml = file_get_contents('/path/to/file.xml');

or

$handle = fopen('/path/to/file.xml','r');

Link to comment
Share on other sites

Thanks alot, I see now.  This is the script I am using.  Its behaving very strangely by deleting the contents of the XML feed each time I run it.  Its also comes up with an error for this "while ($xmlReader->read())"  However I seen on plenty of sites so it must be a proper piece of code.

 

Do you have any advice on how to improve and get this code working?

 

 

$xmlReader = new XMLReader();

 

$filename = "datafeed_98057.xml";

include $_SERVER['DOCUMENT_ROOT'] . '/productfeed/datafeed_98057.xml';

 

file_put_contents($filename, file_get_contents($url));

 

$xmlReader->open($filename);

 

while ($xmlReader->read())

 

{

 

switch ($xmlReader->name)

 

{

 

case 'product':

 

$dom = new DOMDocument();

$domNode = $xmlReader->expand();

$element = $dom->appendChild($domMode);

$domString = utf8_encode($dom->saveXML($element));

$product = new SimpleXMLElement($domString);

 

$awImage = $product->image;

 

//insert query

if(strlen($image) > 0)

{

$query = mysql_query("REPLACE INTO productfeed

(image)

 

VALUES ('$awImage')");

echo $awImage . "has been inserted </br>";

}

break;

}

}

?>

Link to comment
Share on other sites

Every time you take an action which might fail, like these:

 

file_put_contents($filename, file_get_contents($url));

$xmlReader->open($filename);

 

you need to check if it failed.  For example:

 

$retval = file_put_contents($filename, file_get_contents($url));
if ($retval === false) {
  die("file_put_contents to $filename from $url failed");
}

 

The manual explains what return values you should check for for each function, eg http://php.net/manual/en/function.file-put-contents.php

Link to comment
Share on other sites

The errors it gives you automatically often aren't enough.  Change this code:

 

file_put_contents($filename, file_get_contents($url));

 

to this:

 

$url_contents = file_get_contents($url);
if ($url_contents === false) {
  die("file_get_contents($url) failed");
}
if ($url_contents === '') {
  die("file_get_contents($url) returned no data");
}

$retval = file_put_contents($filename, $url_contents);
if ($retval === false) {
  die("file_put_contents($filename) failed");
}

 

That's a good start.  That will catch a number of possible failures you could get while reading the data and writing it to the file.

Link to comment
Share on other sites

I tried to use your $xml = file_get_contents('/path/to/file.xml'); suggestion however it is doing something very bizarre for me

failed to open stream: No such file or directory in phpfeed.php on line 17

 

This is not bizarre. It is simple. The path you have used is incorrect. You have used a relative path as opposed to an absolute path. Do the following:

print $_SERVER['DOCUMENT_ROOT'];
exit();

This will give you the path to your document root i.e /home/username/public_html/.

Stick the xml file in this directory and use the path in the function that reads the file. Simple. Also as suggested make sure your script properly exits on error

if(!$xml = file_get_contents('/path/to/file.xml')) {
print 'Could not open xml file';
exit();
}

Link to comment
Share on other sites

Hi,

 

I have spent a couple of hours on this but I am still no nearer.  I have entered the code but it is just printing this /kunden/homepages/1/d179449150/htdocs/(domain)

 

Does this mean my server is set up wrong and it is unable to identify the root folder?

 

This is the code Im using:

 

$xmlReader = new XMLReader();

 

$filename = "datafeed_98057.xml";

 

print $_SERVER['DOCUMENT_ROOT'];

exit();

 

if(!$xml = file_get_contents('/path/to/datafeed_98057.xml'))

{ print 'Could not open xml file';

exit();}

 

file_put_contents($filename, file_get_contents($xml));

 

$xmlReader->open($filename);

 

 

$url_contents = file_get_contents($url);if ($url_contents === false) {  die("file_get_contents($url) failed");}if ($url_contents === '') {  die("file_get_contents($url) returned no data");}$retval = file_put_contents($filename, $url_contents);if ($retval === false) {  die("file_put_contents($filename) failed");}

 

 

while ($xmlReader->read())

 

{

 

switch ($xmlReader->name)

 

{

 

case 'product':

 

$dom = new DOMDocument();

$domNode = $xmlReader->expand();

$element = $dom->appendChild($domMode);

$domString = utf8_encode($dom->saveXML($element));

$product = new SimpleXMLElement($domString);

 

$awImage = $product->image;

 

//insert query

if(strlen($image) > 0)

{

$query = mysql_query("REPLACE INTO productfeed

(image)

 

VALUES ('$awImage')");

echo $awImage . "has been inserted </br>";

}

break;

}

}

?>

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.