Page 364 - Open Soource Technologies 304.indd
P. 364
Web Technologies-I
Notes True or False:
3. Variables in PHP do not have to be declared, they are automatically created.
(a) True (b) False
4. File uploads are the biggest security risk in web development.
(a) True (b) False
5. PHP is a flexible language that has hooks into just about every API offered on the machines
on which it runs.
(a) True (b) False
6. Data filtering is the cornerstone of web application security and is dependent of
programming language.
(a) True (b) False
14.4 File Permissions
If only you and people you trust can log into your web server, you do not need to worry about file
permissions for files created by your PHP programs. However, most websites are hosted on ISP’s
machines, and there’s a risk that untrusted people will try to read files that your PHP program
creates. There are a number of techniques that you can use to deal with file permissions issues.
14.4.1 Do not Use Files
Because all scripts running on a machine run as the same user, a file that one script creates can
be read by another, regardless of which user wrote the script. All a script needs to know to read
a file is the name of that file.
There is no way to change this, so the best solution is to not use files. As with session stores,
the most secure place to store data is in a database.
A complex workaround is to run a separate Apache daemon for each user. If you add a reverse
proxy such as Squid in front of the pool of Apache instances, you may be able to serve 100+
users on a single machine. Few sites do this, however, because the complexity and cost are
much greater than those for the typical situation, where one Apache daemon can serve web
pages for thousands of users.
14.4.2 Get It Right the First Time
Do not create a file and then change its permissions. This creates a race condition, where a lucky
user can open the file once it is created but before it is locked down. Instead, use the umask( )
function to strip off unnecessary permissions. For example:
umask(077); // disable -rwxrwx $fp = fopen(“/tmp/myfile”, “w”);
By default, the fopen( ) function attempts to create a file with permission 0666 (rw-rw-rw-).
Calling umask( ) first disables the group and other bits, leaving only 0600 (rw-------). Now, when
fopen( ) is called, the file is created with those permissions.
14.4.3 Session Files
With PHP’s built-in session support, session information is stored in files in the /tmp directory.
Each file is named /tmp/sess_id, where id is the name of the session and is owned by the
web server user ID, usually nobody.
358 LOVELY PROFESSIONAL UNIVERSITY
