p2p.wrox.com Forums

Need to download code?

View our list of code downloads.


  Return to Index  

beginning_php thread: function generates garbage characters for no obvious reason


Message #1 by "Lawrence" <lkrubner@g...> on Fri, 15 Feb 2002 15:56:56 -0500
Here I have a function that is supposed to overwrite an existing config file. The config file holds

all the information needed for the other functions to access the database. The config file is

included in other files that need this information. This function has information submitted to it

from a form. Everything seems to work perfectly, except at the end there are 3 garbage characters

(m" ;) plus an extra ending to the php code. Assuming I type in "xxx" for all the info, this is what

I get, followed by the function itself. Can anyone see where the extra characters come from?







<?PHP

$host = "xxx";

 $username = "xxx";

 $passwordDb = "xxx";

 $database = "xxx";

 $passwordLr = "xxx";

?>m" ;



?>







// this function opens lr_config.php and sets the values of

// the 5 variables that are needed to make LR work

function setLrValues() {

// first, we declare the global variables

global $newhost ;

global $newusername ;

global $newpasswordDb ;

global $newdatabase ;

global $newpasswordLr ;

// now we try to open the file lr_config.php. We look in the same

// directory as lr_controlPanel.php. If you've placed these files in different

// directories, then you'll need to edit this path. We open it in "r+" mode

// to change some of the text and then write the new version of the file back

// to disk. "w+" mode doesn't seem to work, for reasons I don't know.

$fp = fopen ("lr_config.php", "r+") or die ("The correct file cannot be opened for editing. Check to

see if the file lr_config.php has world write permissions");

if (!$fp) die ("For some reason the file lr_functionsFile.php can not be opened. Have you moved it

to a different directory than this file? If so, you will have to manually edit the vaules in the

file lr_config.php.") ;

// now we want to change the default values, so we create a string that

// we can print to disk

$updatedString = "<" ;

$updatedString .= "?PHP \n" ;

$updatedString .= "$" ;

$updatedString .= "host = \"" .$newhost;

$updatedString .= "\"; \n $" ;

$updatedString .= "username = \"" .$newusername ;

$updatedString .= "\"; \n $" ;

$updatedString .= "passwordDb = \"" .$newpasswordDb;

$updatedString .= "\"; \n $" ;

$updatedString .= "database = \"" .$newdatabase;

$updatedString .= "\"; \n $" ;

$updatedString .= "passwordLr = \"" .$newpasswordLr;

$updatedString .= "\"; \n" ;

$updatedString .= "?" ;

$updatedString .= ">" ;

// now we try to write the file back to where it was

fwrite ($fp, "$updatedString") or die ("For some reason the information you've given could not be

written to disk. Check and make sure that the file lr_config.php has world write permissions

given.");

// now close the file pointer

fclose($fp) or die ("There was trouble writing the new information to disk. You may need to try

again or start over.");

// now echo a message and a link

echo "The information seems to have been written to disk. Welcome to LogRhythm. If you have any

trouble accessing your database, the first thing you should do is open the file lr_config.php and

check the values. You can now return to <a href=\"lr_controlPanel.php\">the control panel's main

page</a>." ;

return ;

}











Message #2 by "Nikolai Devereaux" <yomama@u...> on Fri, 15 Feb 2002 14:08:59 -0800

I haven't taken a look at your function yet, but out of curiosity, why are

you using "" quoted strings?  you really should use a single quoted string

and not have to make things a bit uglier by concatenating "$" and "varname".



$updatedString  = "<?php\n";

$updatedString .= '$host = "' . "$newhost\"\n";

$updatedString .= '$username = "' . "$newusername\"\n";



etc.



also -- this seems redundant:



$fp = fopen(...) or die (...);



if (! $fp) die (...);



Can you give me a scenario when the second die() statement will ever be

called?





If I figure anything out with your actual problem, i'll let you know. =)



nik



Message #3 by "Nikolai Devereaux" <yomama@u...> on Fri, 15 Feb 2002 14:15:21 -0800

Okay, I ran your function and it worked fine for me with "w+" being passed

to fopen.



maybe the webserver doesn't have write permissions in that directory so it

can't create a file if it doesn't exist already.



Anyway, the only thing I can think of is that you're using "r+" mode to

write to an existing file.  The contents of the file are overwritten, but

the file itself is not truncated to 0 bytes like it is with "w+".



What's probably happening is that the first time you created the file, it

was, say, 50 characters long.



Then when you ran your script, it only wrote 43 characters.



The last 7 characters of the file will remain there because you never

cleared the rest of the file before closing the file pointer.





hth, nik



> -----Original Message-----

> From: Lawrence [mailto:lkrubner@g...]

> Sent: Friday, February 15, 2002 12:57 PM

> To: beginning php

> Subject: [beginning_php] function generates garbage characters for no

> obvious reason

>

>

> Here I have a function that is supposed to overwrite an existing

> config file. The config file holds

> all the information needed for the other functions to access the

> database. The config file is

> included in other files that need this information. This function

> has information submitted to it

> from a form. Everything seems to work perfectly, except at the

> end there are 3 garbage characters

> (m" ;) plus an extra ending to the php code. Assuming I type in

> "xxx" for all the info, this is what

> I get, followed by the function itself. Can anyone see where the

> extra characters come from?

>

>

>

> <?PHP

> $host = "xxx";

>  $username = "xxx";

>  $passwordDb = "xxx";

>  $database = "xxx";

>  $passwordLr = "xxx";

> ?>m" ;

>

> ?>

>

>

>

> // this function opens lr_config.php and sets the values of

> // the 5 variables that are needed to make LR work

> function setLrValues() {

> // first, we declare the global variables

> global $newhost ;

> global $newusername ;

> global $newpasswordDb ;

> global $newdatabase ;

> global $newpasswordLr ;

> // now we try to open the file lr_config.php. We look in the same

> // directory as lr_controlPanel.php. If you've placed these files

> in different

> // directories, then you'll need to edit this path. We open it in

> "r+" mode

> // to change some of the text and then write the new version of

> the file back

> // to disk. "w+" mode doesn't seem to work, for reasons I don't know.

> $fp = fopen ("lr_config.php", "r+") or die ("The correct file

> cannot be opened for editing. Check to

> see if the file lr_config.php has world write permissions");

> if (!$fp) die ("For some reason the file lr_functionsFile.php can

> not be opened. Have you moved it

> to a different directory than this file? If so, you will have to

> manually edit the vaules in the

> file lr_config.php.") ;

> // now we want to change the default values, so we create a string that

> // we can print to disk

> $updatedString = "<" ;

> $updatedString .= "?PHP \n" ;

> $updatedString .= "$" ;

> $updatedString .= "host = \"" .$newhost;

> $updatedString .= "\"; \n $" ;

> $updatedString .= "username = \"" .$newusername ;

> $updatedString .= "\"; \n $" ;

> $updatedString .= "passwordDb = \"" .$newpasswordDb;

> $updatedString .= "\"; \n $" ;

> $updatedString .= "database = \"" .$newdatabase;

> $updatedString .= "\"; \n $" ;

> $updatedString .= "passwordLr = \"" .$newpasswordLr;

> $updatedString .= "\"; \n" ;

> $updatedString .= "?" ;

> $updatedString .= ">" ;

> // now we try to write the file back to where it was

> fwrite ($fp, "$updatedString") or die ("For some reason the

> information you've given could not be

> written to disk. Check and make sure that the file lr_config.php

> has world write permissions

> given.");

> // now close the file pointer

> fclose($fp) or die ("There was trouble writing the new

> information to disk. You may need to try

> again or start over.");

> // now echo a message and a link

> echo "The information seems to have been written to disk. Welcome

> to LogRhythm. If you have any

> trouble accessing your database, the first thing you should do is

> open the file lr_config.php and

> check the values. You can now return to <a

> href=\"lr_controlPanel.php\">the control panel's main

> page</a>." ;

> return ;

> }

>

>

>

>

>

>




> $subst('Email.Unsub').



Message #4 by "Lawrence" <lkrubner@g...> on Fri, 15 Feb 2002 20:08:56 -0500
From: "Nikolai Devereaux" <yomama@u...>

> Okay, I ran your function and it worked fine for me with "w+" being passed

> to fopen.

>  maybe the webserver doesn't have write permissions in that directory so it

> can't create a file if it doesn't exist already.

> Anyway, the only thing I can think of is that you're using "r+" mode to

> write to an existing file.  The contents of the file are overwritten, but

> the file itself is not truncated to 0 bytes like it is with "w+".



You were right again. The problem with w+ is that I'd forgotten to set the file permissions to world

writeable. I made the change and now it works.



Still, I do not like this solution. Having a config file that is world writeable seems very insecure

to me. Is there a way to overwrite the file without making it world writeable? How do other pieces

of software take care of this?



Message #5 by "Nikolai Devereaux" <yomama@u...> on Mon, 18 Feb 2002 11:39:19 -0800

You might be able to add the web server user (let's say the username is www)

to a group and only make the file group writeable.



Or, you should change the permissions of the directory so that www owns the

directory and the files inside.  Give www full permissions in its own

directory and you won't have a problem with world permissions.



nik



-----Original Message-----

From: Lawrence [mailto:lkrubner@g...]

Sent: Friday, February 15, 2002 5:09 PM

To: beginning php

Subject: [beginning_php] RE: function generates garbage characters for

no obvious reason





From: "Nikolai Devereaux" <yomama@u...>

> Okay, I ran your function and it worked fine for me with "w+" being passed

> to fopen.

>  maybe the webserver doesn't have write permissions in that directory so

it

> can't create a file if it doesn't exist already.

> Anyway, the only thing I can think of is that you're using "r+" mode to

> write to an existing file.  The contents of the file are overwritten, but

> the file itself is not truncated to 0 bytes like it is with "w+".



You were right again. The problem with w+ is that I'd forgotten to set the

file permissions to world

writeable. I made the change and now it works.



Still, I do not like this solution. Having a config file that is world

writeable seems very insecure

to me. Is there a way to overwrite the file without making it world

writeable? How do other pieces

of software take care of this?








$subst('Email.Unsub').



Message #6 by "Hermawan Haryanto" <hermawan@h...> on Tue, 19 Feb 2002 02:58:58 +0700
using www as the webserver user is the same as nobody.

Could you just use SUDO ?



Thanks



Hermawan Haryanto

hermawan@h...



----- Original Message -----

From: "Nikolai Devereaux" <yomama@u...>

To: "beginning php" <beginning_php@p...>

Sent: Tuesday, February 19, 2002 2:39 AM

Subject: [beginning_php] RE: function generates garbage characters for no

obvious reason





>

> You might be able to add the web server user (let's say the username is

www)

> to a group and only make the file group writeable.

>

> Or, you should change the permissions of the directory so that www owns

the

> directory and the files inside.  Give www full permissions in its own

> directory and you won't have a problem with world permissions.

>

> nik

>

> -----Original Message-----

> From: Lawrence [mailto:lkrubner@g...]

> Sent: Friday, February 15, 2002 5:09 PM

> To: beginning php

> Subject: [beginning_php] RE: function generates garbage characters for

> no obvious reason

>

>

> From: "Nikolai Devereaux" <yomama@u...>

> > Okay, I ran your function and it worked fine for me with "w+" being

passed

> > to fopen.

> >  maybe the webserver doesn't have write permissions in that directory so

> it

> > can't create a file if it doesn't exist already.

> > Anyway, the only thing I can think of is that you're using "r+" mode to

> > write to an existing file.  The contents of the file are overwritten,

but

> > the file itself is not truncated to 0 bytes like it is with "w+".

>

> You were right again. The problem with w+ is that I'd forgotten to set the

> file permissions to world

> writeable. I made the change and now it works.

>

> Still, I do not like this solution. Having a config file that is world

> writeable seems very insecure

> to me. Is there a way to overwrite the file without making it world

> writeable? How do other pieces

> of software take care of this?

>

>




> $subst('Email.Unsub').

>

>




$subst('Email.Unsub').

>



Message #7 by "Lawrence" <lkrubner@g...> on Tue, 19 Feb 2002 17:08:07 -0500
> using www as the webserver user is the same as nobody.

> Could you just use SUDO ?

> Thanks

> Hermawan Haryanto



On www.php.net it says: 



If you allow sudo execution for chmod by "nobody" (www,

webdaemon, httpd, whatever user php is running under)in this manner, it

had better be a system on which the owner is able to be root and no one

else can run code, else your whole system is compromised.  Someone could

change the mode of /etc/passwd or the shadow password file.



Other system commands (sudo mount) and so forth are similar.














  Return to Index