What are the risks of saving files to the Apache server with PHP and how to avoid them?

Question

What are the risks of saving files to the Apache server with PHP and how to avoid them?

Asked 8 years, 8 months ago

Viewed 360 times

6

I’m recording an HTML file with part of a page, to be used later by HTMLDocX in the generation of a file .docx (vine this question related).

To record use ob_start and ob_get_clean to put the content in a variable:

ob_start();

// parte da página aqui

$var = ob_get_clean();

And then with file_put_contents save the file to a server directory:

file_put_contents('/pasta/arquivo'.$id.'.html', $var); // cria o arquivo com o id criado antes.

So, in the Htmldocx template just take the file with file_get_contents:

$html = file_get_contents('../../pasta/arquivo'.$id.'.html');

But then every time I test this on localhost (I haven’t passed the server yet), I have to change the directory permission on the nail (with chmod and such). I know there must be a way to make this permission definitive, I haven’t seen it yet... but then I kept thinking that there may be serious security risks, since I’m giving permission to write to a directory (777).

In short, the question is:

What are the risks involved in the recording process and subsequent access to a file .hmtl an Apache server with PHP, and how to avoid them? There is a best practice for this?

In case it would be better to just save the HTML in the database and then access through the mysql query (I do so to generate the pdf, but pro docx I found it easier to just write the file and access it later through Htmldocx...)?

1 answer

Browser other questions tagged php mysql apache permissions

You are not signed in. Login or sign up in order to post.

by Pedro Sanção • **5,639** points · Answer 1 · 2015-10-23T15:24:40+00:00

Saving files on the server is safe as long as it is configured correctly. Using 777 permission is bad practice, but sometimes it is the only alternative when there is no access permission root.

The ideal is to assign write permissions to the server only (usually user www-data) with chown and chmod.

In practice, as it is necessary to manipulate the files (mainly in development environment), I use 664 permissions for files and 775 for directories, my user being the owner and apache the proprietary group, as follows:

drwxrwxr-x 24 meu-usuario www-data  4096 Out 23 13:20 arquivos
-rw-rw-r--  1 meu-usuario www-data  3710 Out 23 13:20 index.php

To configure the environment the commands are (such as root):

chown -R www-data /var/www/html/
chmod -R g+w /var/www/html/

The first changes the proprietary group to the server recursively and the second adds write permissions to the group. By default the group already has permission to run (directories only) and read. The directory /var/www/html/ is the standard of apache and your environment may be elsewhere.

However the files created by apache/PHP will not be accessible by your user automatically, but you can set up a scheduled task with Command crontab -e (as root) and adding the line below in the editor to run the update every 5 minutes.

*/5 * * * * chown -R seu-usuario:www-data /var/www/html/ && chmod -R g+w /var/www/html/