Jump to content

Recommended Posts

I know this can be done seeing as I've used many php packages over time. Basically, I'm trying to run an install.php which will take the mysql connection info, then write to another config.php file for the user. Here is the code I have (at this point, I have verified the database connection is fine)

 

//Connection success, let's create config.php
            $file = "some/path/to/config.php";
            $lines = array(
                '<?php\n',
                'class config\n',
                '{\n',
                '   var $mysql_server = \''.$mysql_host.'\';\n',
                '   var $mysql_port = \''.$mysql_port.'\';\n',
                '   var $mysql_user = \''.$mysql_user.'\';\n',
                '   var $mysql_pass = \''.$mysql_pass.'\';\n',
                '   var $mysql_db = \''.$mysql_db.'\';\n',
                '   var $table_prefix = \''.$table_prefix.'\';\n',
                '   var $template_dir = \'styles\';\n',
                '   var $mysql_server = array();\n',
                '}\n'
            );
            $writing = fopen($file, 'w+');
            foreach ($lines as $line)
            {
                fwrite($writing, $line);
            }
            chmod($file, 600);
 

The first error in my error log:

 

failed to open stream: Permission denied in public_html/install.php on line 77, referer: ./install.php

 

The rest of the errors are all the fwrite returning I used a boolean instead of resource which makes sense if the file didn't open. I'm gathering it's a permission thing for the directory i'm trying to get the config to write but I have the same setup i've always used and never had this issue with other systems.

Link to comment
https://forums.phpfreaks.com/topic/303406-writing-a-config-file/
Share on other sites

If public_html s a directory you have created, then it could be that the process which is running PHP doesn't have rights to that directory.  So check the owner and rights to the directory your trying to write to (In linux, PHP is commonly run as www-data:www-data, so usually best to have all things within your web root directory owned by that user).

One thing you have to consider is the difference between a URL path and a directory path.  It looks as though the file your writing to is relative to the script that your running.  It's assuming there is a directory called public_html in the same directory as the install.php.  This may be the case, but you could also consider using something like realpath() which can give you the actual directory your writing to in the file system from the URL your using.

Don't have PHP create the config file. It will create it owned by whatever user PHP is running as (eg, www-data or nobody) and if you chmod it to 0600 then the user won't be able to edit or view the file.

 

The user should create the file first, give it 0666 permissions, have the script make changes, then chmod it back to 0644.

 

Or better, tell the user what to put into the config file themselves so they don't have to deal with permissions.

Or still better, put a template file into the installation package and let the user edit what they need to.

Dumping raw user input into a PHP script means that anybody who can send a request to the script (directly or indirectly through CSRF) may inject arbitrary PHP code. You might as well have a textarea where people can execute code on your server.

 

Even if the script was completely isolated from the Internet and only used by friendly people, it would still be a bad idea, because code injections can happen purely by accident and will then break the application permanently. For example, try a password with a single quote or a backslash at the end.

 

You really need to adopt a more robust, less naive way of programming. If you absolutely must create configuration files programmatically (which is inherently risky), then use non-executable formats like JSON, XML, YAML, ... We already had that discussion in your last thread.

 

Also note that the “var” syntax for object attributes comes from PHP 4 and is obsolete since more than a decade (I was surprised that it still works).

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.