CODEWITHSUNDEEP
phpsecurityfopen
Ben Kulbertis
Ben Kulbertis

Reputation: 1713

Is fopen safe to use in public software?

I am creating a web application that I hope to release to the public for downloading and installing on anyone's own web server, however I just was informed that some webhosts disable the use of fopen in php due to "security issues", particularly on shared hosts. I use fopen during the installation process of the application, should I be concerned about this? Is this a common practice in shared hosts? If so, is there another way I can write to a file? I have heard of cURL, but this would require more advanced knowledge on the part of the end user, no? If so, this can obviously not be expected. Thanks very much!

Upvotes: 5

Views: 1814

Answers (3)

Jet
Jet

Reputation: 1325

using cURL:

 function GET($url,$header = null,$post = 0,$cookie = null){
                    $handle = curl_init();
                        curl_setopt($handle, CURLOPT_URL, $url);
                        curl_setopt($handle, CURLOPT_HEADER, $header);
                        curl_setopt($handle, CURLOPT_FOLLOWLOCATION, true);
                        curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
                        if($post) {
                            curl_setopt($handle, CURLOPT_POST, true);
                            curl_setopt($handle, CURLOPT_CUSTOMREQUEST,($post)?"POST":"GET");
                            curl_setopt($handle, CURLOPT_POSTFIELDS, $post);
                        }
                        curl_setopt($handle, CURLOPT_COOKIE, $cookie);

                        if(preg_match('/https/',$url)) {
                            curl_setopt($handle, CURLOPT_SSL_VERIFYPEER, false);
                        }
                            return($buffer = @curl_exec($handle)) ? $buffer : 0;
                }


                //A basic example of the requisition process : 
                        echo GET('http://google.com',1)

                //post data: 

                GET('/test.php',1,
                    array('Name' => 'Jet',
                          'id' => 12,
                          'foo' => 'abc'));
                returns:
                    successfully : source-code;
                    0 : Request failed

                //send cookies : 
                GET('http://example.com/send.php',1,
                                array('Name' => 'Jet',
                                      'id' => 12,
                                        'foo' => 'abc'),"cookies");

file_put_contents : http://php.net/file_put_contents

Upvotes: 1

Wrikken
Wrikken

Reputation: 70490

In my limited experience, fopen() is seldom disabled. Writing to a local file with curl is nonsense, so this wouldn't be an alternative. As all writing to a local file kind of depends on fopen, the most usual route for normal packages is:

  1. Trying to set the content in a file on installation (possibly a file already there with a decent default in the normal packages files).
  2. On failure, present to user with the content you'd like to set, and offer him the option to either copy/paste that content manually, or to retry to set the content (for instance, when the user sets the file permissions correctly, which you of course explain how to do).

Upvotes: 2

mario
mario

Reputation: 145482

fopen() is never disabled. The php.ini setting "allow_url_fopen" however is. So if you only access local files, not http:// URLs via fopen() this is not really a concern.

If you need URL support you should otherwise include a HTTP request class, like the one in PEAR. This way you avoid the user-unfriendly dependency on the cURL extension module.

Upvotes: 3

Related Questions