Saving file on disk

In Java, while using Glassfish Server, we could only save files relative to our web application root. Thus you cannot directly save file on eg c:\p开发者_如何转开发rogram files\abc.txt whereas with php this is working. Is it valid? One should not be able to refer any location on hard disk outside web application root (unless you are using Virtual directory). Why are there so contradictory principles?

It's a security feature of Glassfish (via the security features of the JVM). You can disable it if you really want, but the idea is that even if you've got some nasty security exploit in your web app, that shouldn't compromise the rest of the box if it can be stopped.

I don't know whether PHP has such a feature at all - web application containers can do this (and similar things) reasonably easily due to the rest of the sandboxing of Java and the security managers available.

In practical, any deployed applications should not be able to make modification outside its scope because that may allow malicious (or buggy) applications from messing up the hosted server. That being said, it really depends on the application server too, some servers maybe stricter than others. I know for sure Tomcat allows me to write directly to my C drive whereas Websphere server will bark at me if I do so (even though there has to be an option where I can turn it off).

PHP has two such security features. Neither are enabled by default.

1. open_basedir is a configuration setting that restricts file operations to the specified directory trees. To match how Glassfish is configured, it should be set to the document root in the web server's configuration (using php_admin_value if you're using Apache)
2. safe_mode is Deprecated (i.e. do not use). It restricts file operations to ones that the user running PHP owns... most likely the account the web server uses.

PHP's older than Java EE containers. It lets you get away with a lot that you can't get away with in newer, less "trusting" systems.