RMorrison Posted March 9, 2017 Share Posted March 9, 2017 I know this can be done seeing as I've used many php packages over time. Basically, I'm trying to run an install.php which will take the mysql connection info, then write to another config.php file for the user. Here is the code I have (at this point, I have verified the database connection is fine) //Connection success, let's create config.php $file = "some/path/to/config.php"; $lines = array( '<?php\n', 'class config\n', '{\n', ' var $mysql_server = \''.$mysql_host.'\';\n', ' var $mysql_port = \''.$mysql_port.'\';\n', ' var $mysql_user = \''.$mysql_user.'\';\n', ' var $mysql_pass = \''.$mysql_pass.'\';\n', ' var $mysql_db = \''.$mysql_db.'\';\n', ' var $table_prefix = \''.$table_prefix.'\';\n', ' var $template_dir = \'styles\';\n', ' var $mysql_server = array();\n', '}\n' ); $writing = fopen($file, 'w+'); foreach ($lines as $line) { fwrite($writing, $line); } chmod($file, 600); The first error in my error log: failed to open stream: Permission denied in public_html/install.php on line 77, referer: ./install.php The rest of the errors are all the fwrite returning I used a boolean instead of resource which makes sense if the file didn't open. I'm gathering it's a permission thing for the directory i'm trying to get the config to write but I have the same setup i've always used and never had this issue with other systems. Quote Link to comment Share on other sites More sharing options...
NigelRel3 Posted March 9, 2017 Share Posted March 9, 2017 If public_html s a directory you have created, then it could be that the process which is running PHP doesn't have rights to that directory. So check the owner and rights to the directory your trying to write to (In linux, PHP is commonly run as www-data:www-data, so usually best to have all things within your web root directory owned by that user). One thing you have to consider is the difference between a URL path and a directory path. It looks as though the file your writing to is relative to the script that your running. It's assuming there is a directory called public_html in the same directory as the install.php. This may be the case, but you could also consider using something like realpath() which can give you the actual directory your writing to in the file system from the URL your using. Quote Link to comment Share on other sites More sharing options...
requinix Posted March 9, 2017 Share Posted March 9, 2017 Don't have PHP create the config file. It will create it owned by whatever user PHP is running as (eg, www-data or nobody) and if you chmod it to 0600 then the user won't be able to edit or view the file. The user should create the file first, give it 0666 permissions, have the script make changes, then chmod it back to 0644. Or better, tell the user what to put into the config file themselves so they don't have to deal with permissions. Or still better, put a template file into the installation package and let the user edit what they need to. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted March 9, 2017 Share Posted March 9, 2017 Dumping raw user input into a PHP script means that anybody who can send a request to the script (directly or indirectly through CSRF) may inject arbitrary PHP code. You might as well have a textarea where people can execute code on your server. Even if the script was completely isolated from the Internet and only used by friendly people, it would still be a bad idea, because code injections can happen purely by accident and will then break the application permanently. For example, try a password with a single quote or a backslash at the end. You really need to adopt a more robust, less naive way of programming. If you absolutely must create configuration files programmatically (which is inherently risky), then use non-executable formats like JSON, XML, YAML, ... We already had that discussion in your last thread. Also note that the “var” syntax for object attributes comes from PHP 4 and is obsolete since more than a decade (I was surprised that it still works). Quote Link to comment Share on other sites More sharing options...
RMorrison Posted March 9, 2017 Author Share Posted March 9, 2017 If this is such a big security issue, why do other packages such as phpbb write their config file in a php file after the installation? Fair enough the file already exists and it's empty but they still write it. Quote Link to comment Share on other sites More sharing options...
requinix Posted March 9, 2017 Share Posted March 9, 2017 Because phpBB was first created in the early 2000s? Quote Link to comment Share on other sites More sharing options...
NigelRel3 Posted March 10, 2017 Share Posted March 10, 2017 Even if OP was to change his code to write an XML/JSON/.ini file format instead, I assume they will still have the same problem which they raised - which was they can't write the file due to permissions problems. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted March 10, 2017 Share Posted March 10, 2017 The permissions have already been explained. Now we're talking about a different problem. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.