fopen() PHP problems when a file does not exist

[Steve Scrimpshire]

My remote server throws an error 'Permission denied' when my PHP script attempts to create a file that does not exist with fopen("whatever", w). I've tried all kinds of chmod values except 777 on the directory. Any ideas?

 

[edit] If I create the file manually and chmod it to 0666, it works fine)

[Cannonfodder]

Check out the discussion in this link.. Look for the info on suppressing error messages using @fopen(). I"m not saying this is your answer, but I might be barking up the right tree :)

 

http://www.php.net/manual/en/function.fopen.php

[paul]

try using fwrite instead for a file that you want to create from scratch.

 

or

exec("touch filename")

then do fopen("filename", w)

[Steve Scrimpshire]

I tried that, too. No go. What I finally did that worked was to have php write the file outside of /blah/blah/cgi-bin/ (I can make those directories world writable, but my other cgi script [perl] that accesses them, doesn't like it when a directory inside of /blah/blah/cgi-bin is world writable), so now all is well....kinda. Just don't know what the difference is of having a directory in or out of /cgi-bin world writable.

[paul]

why have you got php script in a cgi-bin ???

they don't need to be

[Steve Scrimpshire]

No no no...the PHP script is not in the cgi-bin, my other Perl script that reads the files the PHP script creates is in the cgi-bin and I was being lazy and didn't want to have to type a whole long file path in my Perl script, so I was having the PHP script write those files into a directory inside cgi-bin. I really wish I could write the Perl script in PHP, so I could consolidate them, but I am a little clueless when it comes to PHP. And I certainly couldn't do in the Perl script what the PHP script does (image stuff). LOL

[Steve Scrimpshire]

If you want to see what I was doing, look here:

 

http://omarserenity.com/funwithphp.php and click on an image. Just playing around.

[Steve Scrimpshire]

Thanks to everyone who responded so quickly, especially cannonfodder. I had already been there and read, cannonfodder, but after you posted, I decided to go there and read again, which lead me to attempting to use ftp to do it in fopen(), which worked, but only in the anonymous ftp directory, which made me think "They allow world writable files there, what if I didn't do it via FTP......." and then realized all I had to do was write the files to a directory outside of cgi-bin, chmodded accordingly.

 

Side note: Am I the only one who pronounces chmod in their head as CHEE-mod?

[paul]

you need to secure your php code a little more.

Check that the file that is being opened is allowed to be opened (like in the Apache DocumentRoot)

 

security breach

http://omarserenity.com/funwithphp.php?../..../../etc/passwd

although it says permission denied, you should dissallow ANY access to things outside your documnet root

example:

<?

if(eregi("..",$var)) {

    echo "YOU F@#KING HACKER !!!!";

    exit;

}

?>

just a nice simple security check

 

I've been caught by this one MANY times

[paul]

Side note: Am I the only one who pronounces chmod in their head as CHEE-mod?

 

:lol: yes !!

SEA -AY-CH-MOD

:P

[Steve Scrimpshire]

Thanks. I think I have it fixed.

[Cannonfodder]

I say cheh-mod as in eh? Must be cuz I live so close to Canada :roll:

[Steve Scrimpshire]

heh heh

 

Oh and thanks, Paul, for checking that out and pointing it out to me.

[aru]

about security:

 

I've played a bit (I'm not a cracker by any means) with your http://omarserenity.com/funwithphp.php page, and on my third attempt to cause an error I've discovered that your login name is omarsere which is a lot of information for just a try. At that point I stopped digging (you can check your logs, my IP was: 213.98.238.160)

 

I'm interested in security issues concerning to php because I'm building a php site and I want to make it as much cracker resistant as possible. Any basic rules to follow? like hiding information on errors, hiding url info, gets vs posts, and so on.

 

Anyone (paul?) can give me some hints, or point me to any urls with info on the issue? Thanks

 

Sorry for the offtopic, but I just don't want to start a new thread for such a simple question :)

[Steve Scrimpshire]

No problem for the offtopicness (offtopicity?)...I'm interested myself.