PHP Filesystem manipulation security concerns -


i looking best practices, modules, etc. securely file system manipulation via php application. cms-like application not use database, instead markdown files placed in folders , processed @ display time. therefore, there lot of moving files around, renaming files, writing files, etc.

i looking either find libraries (e.g., equivalent orm) manage such actions, input sanitization, moving files. etc. rather start scratch. if nothing available, listing of best practices, etc.

so far have found guidance php.net.

more information: plan build web based end-user interface sits ontop of stacey. have test environment end user interface, , when changes ready synced production environment. non-db based system. stacey convenient manage , work developer standpoint, user's don't want work directly markdown , move files, etc.

also: please limit answer php issues; server things chrooting or locking down server dependent upon user's individual environment , needs. development standpoint, want focus on securing distributed code.

i don't know of specific libraries -- filesystem support in php extensive i'm not sure why they'd necessary. might better off starting existing cms , modifying want -- understand might not possible. sounds sort of thing should using database, guess know that.

i can't claim know exact best practice, more general advice.

first, web server -- , therefore php scritps -- running user. depends on configuration , particular server underlying os. ideally want make sure user has access filesystem area using storage. deny access everywhere else apart read-access needs (your scripts, etc) , read-write storage area. exact way depends on system.

that's last line of defense, not rely on it, it's there safety net.

it's not clear cause files renamed, moved, altered it's safe bet it's user input. therefore need make sure sanitize user input, if page name becomes file name want not want let enter ../../index.php page name , nuke main site.

always assume worst case: user knows internals of system intimately , aiming damage. not rely on 'security obscurity' or 'nobody ever that'.

what (and have done before) 2 fold. first wrap filesystem functions class provides same functions methods. job of class check happening allowed, means it's going have read paths , filenames , work out location of changes.

secondly, sanitize user input malicious when first arrives. might want @ using escapeshellarg or url encoding, or else depending on input is.

you mention files processed @ run-time, if users allowed write scripts (or worse php gets executed) have lot more issues , may have fundamental problem. that's not clear question.

hope helps.


Comments

Post a Comment

Popular posts from this blog

basic authentication with http post params android -

i doing basic authentication passing username , password , using basicnamevaluepair sending post params response service. my method: public stringbuilder callservicehttppost(string username, string password, string type) { // create new httpclient , post header httpclient httpclient = new defaulthttpclient(); httppost httppost = new httppost(webservice + type); httpresponse response = null; stringbuilder total = new stringbuilder(); try { url url = new url(webservice + type); /*string base64encodedcredentials = base64.encodetostring((username + ":" + password).getbytes(), base64.url_safe | base64.no_wrap);*/ string base64encodedcredentials = "basic " + base64.encodetostring( (username + ":" + password).getbytes(), base64.no_wrap); httppost.setheader("auth...
Read more

vb.net - Virtual Keyboard commands -

i wondering difference between virtual these keyboard commands is: keyeventf_extendedkey , keyeventf_keyup is. everywhere have looked gives me description based off integers , not want know each of them does. you've tagged question vb.net, these have nothing @ vb.net. they're constants defined in windows header files, use win32 api functions. as far difference, can't tell looking @ values. individual values not particularly important, that's why named identifiers used. what's important used , documentation functions tells mean. the first one, keyeventf_extendedkey , used keybdinput structure (which used along e.g. sendinput function) pass information synthesized keyboard input. if flag used, means scan code should interpreted extended key. technically, means scan code preceded prefix byte value 224 (&he0 in hexadecimal notation). the second one, keyeventf_keyup , 1 of flags available use structure. means key being released (going up)...
Read more

How to get multiresult with multicondition in Sql Server -

i need solve this. hopefully can giving me advices. for sample, i've got data : proclib.march 1 first 10 rows flight date depart orig dest miles boarded capacity ----------------------------------------------------------------- 114 01mar94 7:10 lga lax 2475 172 210 202 01mar94 10:43 lga ord 740 151 210 219 01mar94 9:31 lga lon 3442 198 250 622 01mar94 12:19 lga fra 3857 207 250 132 01mar94 15:35 lga yyz 366 115 178 271 01mar94 13:17 lga par 3635 138 250 302 01mar94 20:22 lga 229 105 180 114 02mar94 7:10 lga lax 2475 119 210 202 02mar94 10:43 lga ord 740 120 210 219 02mar94 9:31 lga lon 344...
Read more