[RESOLVED] Confused - XML generating with users

ancibit

I'm just generally lost on how to set this up. I want to have a form that people access and fill out, which goes to a php page that generates an XML file and stores it on the server. It's not a full community though, so I only want them to "log in" for one page, perhaps just providing a username and password on that form.

If anyone could point me to a site where I could learn more about this, or if someone could give a brief outline of how to do it, then I'd greatly appreciate it. Thank you for at least taking the time to read this.

bbreslauer

Why do you want to create an XML file, as opposed to using a database? PHP has great MySQL functions, and it's easy to create something like this using a database. It's probably a little harder to create an XML file, though I haven't used XML in conjunction with PHP, so I wouldn't be able to answer your question if you want to use XML.

ancibit

Okay, well, just think of it as generating a file out on the server. I can do the XML part, I just need to know the most secure way of putting the file on the server. Sorry if what I posted wasn't real clear.

bbreslauer

Oh, ok. Well, if the file does not have sensitive information (passwords, SSNs, etc), then you can just store it anywhere you want, though people will be able to read it if they find where it's stored. If it does contain sensitive informations (which it sounds like), then you should store the file outside of the webroot (the root directory of the web server) and outside of any folder that the http server has access to. You'll probably need to open it like this:

fopen("/path/to/file.xml", "r+");

You'll want to use an absolute path to the directory and file, since you won't want it to have anything to do with where the script that creates the XML file is. The file should probably also be chmod'ed to 600 (read and write for the owner, no other permissions) and should be owned by the web server user (usually http or apache, on apache installs).

ancibit

Now, if I have the page build the XML from user input fields, there aren't any security issues, right? That's all I was worried about is someone potentially doing something harmful to the server. Now, I may just be paranoid, because the page will generate the XML tags around the data, but... Still... Would it be safe if I went ahead with the file writing in such a behavior? The site isn't advertised, and there should only be two links in an invitation-only Yahoo! group and another unadvertised website. Am I safe?

Oh, also, is there a way for PHP to chmod the file for you?

bbreslauer

I can't think of any security issues with just writing to a file. I mean, if they were able to get into the crontab, and/or put a program somewhere on the server, then there would be a problem. But if you're sanitizing the input (and putting everything in with XML tags around it), then you shouldn't have a problem.

As for chmod'ing the file, there's a great PHP function called chmod (great, isn't it :-P). You can see the manual page here: http://us2.php.net/chmod

Alternatively, you could use the exec() function to execute a program, such as chmod. But this would probably create more security concerns than you would want.

ancibit

LOL, thank you a bunch for all your help! ^-

bbreslauer

No problem!