开发者

Is fopen safe to use in public software?

问答 作者:

I am creating a web application that I hope to release to the public for downloading and installing on anyone's own web server, however I just was informed that some webhosts disable the use of fopen in php due to "security issue开发者_开发知识库s", particularly on shared hosts. I use fopen during the installation process of the application, should I be concerned about this? Is this a common practice in shared hosts? If so, is there another way I can write to a file? I have heard of cURL, but this would require more advanced knowledge on the part of the end user, no? If so, this can obviously not be expected. Thanks very much!

fopen() is never disabled. The php.ini setting "allow_url_fopen" however is. So if you only access local files, not http:// URLs via fopen() this is not really a concern.

If you need URL support you should otherwise include a HTTP request class, like the one in PEAR. This way you avoid the user-unfriendly dependency on the cURL extension module.

In my limited experience, fopen() is seldom disabled. Writing to a local file with curl is nonsense, so this wouldn't be an alternative. As all writing to a local file kind of depends on fopen, the most usual route for normal packages is:

  1. Trying to set the content in a file on installation (possibly a file already there with a decent default in the normal packages files).
  2. On failure, present to user with the content you'd like to set, and offer him the option to either copy/paste that content manually, or to retry to set the content (for instance, when the user sets the file permissions correctly, which you of course explain how to do).

using cURL:

 function GET($url,$header = null,$post = 0,$cookie = null){
                    $handle = curl_init();
                        curl_setopt($handle, CURLOPT_URL, $url);
                        curl_setopt($handle, CURLOPT_HEADER, $header);
                        curl_setopt($handle, CURLOPT_FOLLOWLOCATION, true);
                        curl_setopt($handle, CURLOPT_RETURNTRANSFER, true);
                        if($post) {
                            curl_setopt($handle, CURLOPT_POST, true);
                            curl_setopt($handle, CURLOPT_CUSTOMREQUEST,($post)?"POST":"GET");
                            curl_setopt($handle, CURLOPT_POSTFIELDS, $post);
                        }
                        curl_setopt($handle, CURLOPT_COOKIE, $cookie);

                        if(preg_match('/https/',$url)) {
                            curl_setopt($handle, CURLOPT_SSL_VERIFYPEER, false);
                        }
                            return($buffer = @curl_exec($handle)) ? $buffer : 0;
                }


                //A basic example of the requisition process : 
                        echo GET('http://google.com',1)

                //post data: 

                GET('/test.php',1,
                    array('Name' => 'Jet',
                          'id' => 12,
                          'foo' => 'abc'));
                returns:
                    successfully : source-code;
                    0 : Request failed

                //send cookies : 
                GET('http://example.com/send.php',1,
                                array('Name' => 'Jet',
                                      'id' => 12,
                                        'foo' => 'abc'),"cookies");

file_put_contents : http://php.net/file_put_contents

继续阅读:fopenphpsecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9