I would like to write a script to edit a css file or maybe even a slideshow for instance where a form will update the variables in my php document. I've been doing some reading and some say editing a php file directly is bad news due to security issues and to use xml.
I am not connecting to databases or anything like that. So my question is is this correct to write script to directly write/update a php file to changes its variables?
Thank you.
if you can correctly sanitize your input then it is a usable aproach. The worst that can happen is code injection. So do check for variable length and content very strictly. It is like eval(); only worse, as everyone else will run it to. If there are only variables to change you might consider using an .ini file for configuration. And Use the data in that from your PHP script
In general you should not run PHP scripts as a user with permissions to write to its own executable code; it means any file write vulnerability immediately escalates to a code execution vulnerability.
Writing dynamic data into a PHP file is risky. You would need to know how to serialise/escape any value to a PHP literal exactly; any error could result in code execution. Watertight code generation is in general a tricky thing.
There is almost certainly a better way to approach whatever it is you are doing. Putting data in a static store such as a config file or database, and reading the data at run-time, would seem to be the place to start.
I want to encode my codes with ionCube. But I do not know exactly how to prevent users from cracking it without encoding.
So I need some tips.
My project is a MVC.
Everything starts in index.php and it calls core.php and running goes.
How should I include files. How can I ensure that when a file is called it is the original one?
I know there is some PHP functions that print out function names, etc. I need to prevent this.
Users include index.php file from another file and try to get variables like using var_dump($_GLOBALS);
You can use the get_included_files function to see if there are other files included. But the best way is of course to trust your customers and regulate what they can and cannot do with your code through contracts.
I want to be able to store website configuration without the use of mysql. I also want the user to be able to change this information from a web page. What's the best methods to do so?
Valuable options are a SQLite database, or just a PHP file containing a serialized array if you want a really simple option:
// reading configuration
$config = unserialize(file_get_contents('config'));
// storing configuration
file_put_contents('config', serialize($config));
Storing a file is the easiest option. You could store it in plain text, XML, JSON, etc. You might want to try an ini file which can be read/written by PHP - in which case this answer should help.
I would use a .ini file format to store configuration. It's human readable in its raw format and fairly easy to parse via PHP (parse_ini_file). A point to note here is that PHP (strangely) doesn't support writing to ini files natively, but if you look at the manual page for parse_ini_file you can find an user submitted example of how do it.
Altough I have not used in PHP projects, YAML (Yet Another Markup Language) seems like a good format to store configuration info (it's pretty much the default config format for rails projects). You can use the syck pecl library to easily read and write stuff in the YAML format
You could try cloud based databases if you don't have access to store data on your own server.
Ok so this is my situation...a web application in PHP uses a "config" file for various parameters. This config file is nothing but a php file, say config.php with a global array of the form
$config['param_name'] = 'param_value';
$config['param_name2'] = 'param_value2';
Now I am currently writing an admin app that I want to use to control the main app. One of the things I want the admin app to be able to do is change the config values. So my use case will be something like change the value through an html form element and it should change the config.php replacing the value of the corresponding array index.
This is obviously not specific to php; but I'd love to hear some ideas on how one would go about editing this file. Any ideas?
Thanks!
I have another suggestion: have the configuration parameters sit in a database. Have your admin console work on the database instead.
If you are worried about performance, use APC to cache the parameters.
This way, you can add this configuration database to your other database backup procedure you have already in place.
I would suggest moving all configurable options out of the PHP file and into an external storage (INI file, database, xml, anything). Then you can initialize all the variables you read from the external file in your application's bootstrap file
Another option is to modify the PHP configuration file so it reads its information from an easy-to-access format like YAML.
That way the config file could be accessed by just about any language. A good alternative if you don't want yo use a database.
I am writing a PHP application that will have the ability to edit settings through a web interface. I didn't mean for the user (and actually, it will only be admins) to be able to load the file up in a text editor, but rather, they make a change using a form, and that will change the settings file (and do other things as well).
At this stage in the development, settings are stored in a PHP file, for example:
define ('UPLOAD_DIR','uploads/');
define ('DISPLAY_NUM',true);
$names = array('a' => 'b','c'=>'d','e'=>'f');
However, parsing arrays (and they get more complicated (i.e multilevel nested) than the above), doesn't seem so fun. And because specific settings can be added and removed, reading the entire file, and then writing out all the settings again, doesn't seem fun either.
What are the advantages and disadvantages to using the following formats? (And any others that I missed out):
Custom XML
INI (able to use parse_ini_file)
(Using a database is not suitable due to the requirements for the project. I understand in many situations a database would be prefered, just not in this case.)
If you were unable to use a database, and had to store settings that could be edited using a web interface, what would you do?
(Note: This is a different question to this one, where settings can't be changed, it's PHP file all the way. And yes, the setup does currently write out a PHP file with the correct settings.)
If you're not committed to using XML, you may like to consider YAML. I've only used it with Ruby, but a quick Google suggests there are a few options for PHP support. TBF, the links there include some arguments against using YAML with PHP, but YMMV.
OK, I didn't get any sort of answer I was looking for. Here's the sort of thing I was expecting.
INI
Storing settings in an INI file might be appropriate for simple settings which you want the user to edit by hand.
However, creating complex arrays is not easy, and would require some mental acrobatics to understand which heading is at which level of the array.
Reserved words, which must not be used anywhere in the file, include: yes, no, true, and false, this might be problematic.
Constants can be used in the file.
No built in method of writing out INI files.
XML
Can use the SimpleXML Extension, which "provides a very simple and easily usable toolset" to turn XML into an object that can then be processed using the normal methods.
Allows the use of very complex arrays.
Possible to edit by hand, if required.
Can use external tools to verify the validity of the file.
Many many XML processors available for PHP.
YAML
http://yaml.org/
http://www.techyouruniverse.com/software/dont-use-yaml-for-php-use-parse%5Fini%5Ffile
Remember: no database. Requires being able to use complex arrays.
I wouldn't like the idea of someone having direct access over settings, so it's important to provide an interface to act as a buffer, preventing deliberate attacks and ensuring clean output.
With that in mind the choice of server side format is not important at all, as long as you can interface with it correctly all other problems can be worked around.
I'd recommend a custom XML file, that way your config will scale well and you can use PHP XML libraries to access it.
A quick example:
<myconfig>
<define>
<name>UPLOAD_DIR</name>
<value>uploads/</value>
</define>
<define>
<name>DISPLAY_NUM</name>
<value>true</value>
</define>
<array id="names">
<value index="a">b</value>
<value index="c">d</value>
<value index="e">f</value>
</array>
</myconfig>
PHP has built in functions for editing and parsing INI files, which use a plain-text format to store program settings.
http://us.php.net/manual/en/function.parse-ini-file.php
http://us.php.net/manual/en/function.parse-ini-string.php
I have used a two step approach. The variables and their names are stored in the database with an interface that gives the user the ability to change them. When they change them a file gets saved onto the server and then referenced throught out the application (The changes are alos saved back to the DB). Makes updating easy and makes backups simple - no need to backup the files, just backup the database. The resulting files are just .inc files that are in the format $variableName = 'variablevalue';
And why not plain php?
configure-form.php
form method=POST action='configure.php',
input fields ex. name='upload' value='<?php echo UPLOAD; ?>'
a configure.php file:
$myfile = 'sets.php';
$fh = fopen( $myfile, 'w' );
$upload = '"/upload/"';
$txt = "define( UPLOAD, '" . $_POST['upload'] . "' );";
fwrite( $fh, $txt );
fclose( $fh );
and there you have it. Simple php which creates configure file for you.