PHP5 Security Block!!

[justlukeyou]

I had a website running a XML script which worked perfectly but I have updated it by using XMLReader and PHP 5. However, there is a security update on PHP 5 which prevents me from accessing files on my server.

 

Someone has suggested I add a php.ini file with the following:

 

allow_url_fopen = on

 

allow_url_include = on

 

However I have also read that the whole purpose of the security update is to prevent this. Can someone advise me how I can get around this issue so that my server can read files and still operate by the PHP5 security update.

 

Any help would be greatly appreciated.

 

[salathe]

I'm not sure which "security update" you're referring to (a link to the information would be nice) but if your script needs those INI options to be turned on to work, then turn them on.

[justlukeyou]

Thanks,

 

My page reads this.  "URL file-access is disabled in the server configuration"

 

I have found this but it relates to include which works: http://www.learnphponline.com/errors/url-file-access-is-disabled-in-the-server-configuration

 

I have in a few places that you shouldn't switch the option on because it cancels the securiry measure.

[JonnoTheDev]

If the configuration change is only required for one particular website then you should set the config value via a .htaccess file, not through the php.ini file as this will set the configuration server wide and affect all websites on the box.

[justlukeyou]

Thats great thanks, how do I do that?

 

I have set up a htaccess file to tell it to upgrade to PHP5.  My host requested me to do this.

 

But I can not include pages in that same folder.  So do I need to add something to the htaccess file.

 

Do I add this: allow_url_fopen = on to that .htaccess file?

[JonnoTheDev]

php_flag allow_url_fopen on

 

I have set up a htaccess file to tell it to upgrade to PHP5.  My host requested me to do this.

If you are on a shared hosting package then you would never have access to the php.ini configuration file. Also the host may lock down the configuration changes that you can make through your .htaccess.

 

Shared server hosting is very restrictive.

[BlueSkyIS]

many shared hosting plans allow you to place your own php.ini within the web server root.

 

the secondary option is usually to use .htaccess, often appropriate if your PHP is running as cgi.

[justlukeyou]

Hi,

 

I am trying to update a MySQL database from an XML feed saved on my server.

 

If the default is changed to off to improve security why is it best to change it to on?

[BlueSkyIS]

Hi,

 

I am trying to update a MySQL database from an XML feed saved on my server.

 

If the default is changed to off to improve security why is it best to change it to on?

 

your script needs it to be on. if you don't want your script to work, leave it off.

[justlukeyou]

Hi,

 

I have got it reading the document without having it on.  As per this page: http://www.learnphponline.com/errors/url-file-access-is-disabled-in-the-server-configuration

 

I dont understand, if the designers of PHP set a default off for security reasons why would you switch it on?

[JonnoTheDev]

Hi,

 

I have got it reading the document without having it on.  As per this page: http://www.learnphponline.com/errors/url-file-access-is-disabled-in-the-server-configuration

 

I dont understand, if the designers of PHP set a default off for security reasons why would you switch it on?

 

Because if you want external scripts (on other servers) to include scripts from your server it must be set to on. You can see where the security issues are in this. In your case, if the file is on the server where your web script is you should not be accessing files through a url. You should use the absolute path to the file i.e

$xml = file_get_contents('/path/to/file.xml');

or

$handle = fopen('/path/to/file.xml','r');

[justlukeyou]

Thanks alot, I see now.  This is the script I am using.  Its behaving very strangely by deleting the contents of the XML feed each time I run it.  Its also comes up with an error for this "while ($xmlReader->read())"  However I seen on plenty of sites so it must be a proper piece of code.

 

Do you have any advice on how to improve and get this code working?

 

 

$xmlReader = new XMLReader();

 

$filename = "datafeed_98057.xml";

include $_SERVER['DOCUMENT_ROOT'] . '/productfeed/datafeed_98057.xml';

 

file_put_contents($filename, file_get_contents($url));

 

$xmlReader->open($filename);

 

while ($xmlReader->read())

 

{

 

switch ($xmlReader->name)

 

{

 

case 'product':

 

$dom = new DOMDocument();

$domNode = $xmlReader->expand();

$element = $dom->appendChild($domMode);

$domString = utf8_encode($dom->saveXML($element));

$product = new SimpleXMLElement($domString);

 

$awImage = $product->image;

 

//insert query

if(strlen($image) > 0)

{

$query = mysql_query("REPLACE INTO productfeed

(image)

 

VALUES ('$awImage')");

echo $awImage . "has been inserted </br>";

}

break;

}

}

?>

[btherl]

Every time you take an action which might fail, like these:

 

file_put_contents($filename, file_get_contents($url));

$xmlReader->open($filename);

 

you need to check if it failed.  For example:

 

$retval = file_put_contents($filename, file_get_contents($url));
if ($retval === false) {
  die("file_put_contents to $filename from $url failed");
}

 

The manual explains what return values you should check for for each function, eg http://php.net/manual/en/function.file-put-contents.php

[justlukeyou]

Im sorry but I dont understand what you mean.

 

Do I need to add something to my code to identify and error?

[btherl]

Yes, you need to add something to your code to identify errors.

[justlukeyou]

Thanks, how do I go about doing that?

 

I just thought I use the errors loading the page gives me.

 

Ive spent 5 hours on this today, Im shocked its so difficult to read a file on your own server.  No wonder 90% of what I have read just say to open allow_url_ lol

 

 

[btherl]

The errors it gives you automatically often aren't enough.  Change this code:

 

file_put_contents($filename, file_get_contents($url));

 

to this:

 

$url_contents = file_get_contents($url);
if ($url_contents === false) {
  die("file_get_contents($url) failed");
}
if ($url_contents === '') {
  die("file_get_contents($url) returned no data");
}

$retval = file_put_contents($filename, $url_contents);
if ($retval === false) {
  die("file_put_contents($filename) failed");
}

 

That's a good start.  That will catch a number of possible failures you could get while reading the data and writing it to the file.

[JonnoTheDev]

I tried to use your $xml = file_get_contents('/path/to/file.xml'); suggestion however it is doing something very bizarre for me

failed to open stream: No such file or directory in phpfeed.php on line 17

 

This is not bizarre. It is simple. The path you have used is incorrect. You have used a relative path as opposed to an absolute path. Do the following:

print $_SERVER['DOCUMENT_ROOT'];
exit();

This will give you the path to your document root i.e /home/username/public_html/.

Stick the xml file in this directory and use the path in the function that reads the file. Simple. Also as suggested make sure your script properly exits on error

if(!$xml = file_get_contents('/path/to/file.xml')) {
print 'Could not open xml file';
exit();
}

[justlukeyou]

Thanks that great, the tutorial Im using is using an external link which is what I was trying to but use a link on my server.

 

Thanks for all this, I shall give it a bash tonight.  Having error messages will help alot. 

 

I only have a few lines in the XML file to test it.

[justlukeyou]

Hi,

 

I have spent a couple of hours on this but I am still no nearer.  I have entered the code but it is just printing this /kunden/homepages/1/d179449150/htdocs/(domain)

 

Does this mean my server is set up wrong and it is unable to identify the root folder?

 

This is the code Im using:

 

$xmlReader = new XMLReader();

 

$filename = "datafeed_98057.xml";

 

print $_SERVER['DOCUMENT_ROOT'];

exit();

 

if(!$xml = file_get_contents('/path/to/datafeed_98057.xml'))

{ print 'Could not open xml file';

exit();}

 

file_put_contents($filename, file_get_contents($xml));

 

$xmlReader->open($filename);

 

 

$url_contents = file_get_contents($url);if ($url_contents === false) {  die("file_get_contents($url) failed");}if ($url_contents === '') {  die("file_get_contents($url) returned no data");}$retval = file_put_contents($filename, $url_contents);if ($retval === false) {  die("file_put_contents($filename) failed");}

 

 

while ($xmlReader->read())

 

{

 

switch ($xmlReader->name)

 

{

 

case 'product':

 

$dom = new DOMDocument();

$domNode = $xmlReader->expand();

$element = $dom->appendChild($domMode);

$domString = utf8_encode($dom->saveXML($element));

$product = new SimpleXMLElement($domString);

 

$awImage = $product->image;

 

//insert query

if(strlen($image) > 0)

{

$query = mysql_query("REPLACE INTO productfeed

(image)

 

VALUES ('$awImage')");

echo $awImage . "has been inserted </br>";

}

break;

}

}

?>

 

[Pikachu2000]

When posting code, please enclose it withing the forum's

 . . . 

BBCode tags.

[justlukeyou]

I cant believe its so difficult to read a file on my own server, its really stressing me out lol

 

 

[BlueSkyIS]

this code

 

print $_SERVER['DOCUMENT_ROOT'];
exit();

 

prints the document root and then exits. the script stops executing at an exit();

[justlukeyou]

Ah great, thanks for that, I have removed the exits it now picks up the following as an error:

 

break;
}
}
?>

 

I dont know why its doing that because I have standard tags in place.

 

Many thanks for all your help with all of this.

[BlueSkyIS]

what is the error???