How do you permit PHP to write to a file without compromising server security

Question

I am often confronted with negative comments whenever I want to have a PHP script write output to a file on the server.

I use the fopen(), fwrite(

Answer 1

The risk is if that writable directory resides in an area accessible to the outside world. Then those with the right tools and know how can write anything they want to that directory... or file. They can then place malware in it or create a phishing scheme on your site.

Really they can do all kinds of things to compromise you. I have seen this on my own servers and haven't really found the right solution to this.

Answer 2

If you need to access the files from PHP after they are uploaded then they need to be stored with permissions that let the web server (apache in this case) access them. The risk that people speak of is that some script on your site could be fooled into serving up the file. It is a hypothetical risk, but one that has occurred with many Content Management Systems. To mitigate this risk:

1. Make the file name and path not easily guessable. If a user has a path to getfile.php?file=1.txt they can readily infer that there is a 2.txt as well. Crypt the name or make it unsequenced.
2. Make any script that serves up files affirm things such as the logged in user, authorization to the resource and strip anything from the file name containing a path to avoid rogue references to /etc/passwd and the like.

If you just need to drop the file off and never serve it or access it via PHP again, you have some more options. Either use the chmod or chown commands to make it unreadable to the apache user. If you want to be extra paranoid, have a cron script move the file (and rename it) to a location unknown within the PHP source. At least then if your server is hacked the intruder can't walk right into the directory, but we are getting toward the point where the discussion veers into operating system security.