File Permissions
If only you and people you trust can log into your web server, you don’t need to worry about file permissions for files created by your PHP programs. However, most web sites are hosted on ISP’s machines, and there’s a risk that untrusted people will try to read files that your PHP program creates. There are a number of techniques that you can use to deal with file permissions issues.
Get It Right the First Time
Do not create a file and then change its permissions. This creates a
race condition, where a lucky user
can open the file once it’s created but before
it’s locked down. Instead, use the umask( )
function to strip off
unnecessary permissions. For example:
umask(077); // disable ---rwxrwx
$fp = fopen("/tmp/myfile", "w");By default, the fopen( )
function attempts to create a file with
permission 0666 (rw-rw-rw-). Calling
umask( ) first disables the group and other bits,
leaving only 0600 (rw-------). Now, when
fopen( ) is called, the file is created with those
permissions.
Session Files
With PHP’s built-in session
support, session information is stored in files in the
/tmp directory. Each file is named
/tmp/sess_
id, where
id is the name of the session and is owned
by the web server user ID, usually nobody.
This means that session files can be read by any PHP script on the server, as all PHP scripts run with the same web server ID. In situations where your PHP code is stored on an ISP’s server that is shared with other users’ PHP scripts, variables you ...
Get Programming PHP now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
