Page 1 of 1

Secure Delete in PHP

Posted: Thu Apr 08, 2010 9:31 am
by jasonlfunk
I want to overwrite a file with random data before deleting it to improve security a little. Does the following code do that?

Code: Select all

 //whipe the file
        $fs = filesize($uploaded_file);
        //write over the file with random characters 5 times
        for($i=0;$i<5;$i++)
        {
                $fh = fopen($uploaded_file,"w");
                mt_srand();
                for($i=0;$i<$fs;$i++)
                {
                        fwrite($fh,chr(mt_rand(65,90)));
                }
                fclose($fh);    
        }
        unlink($uploaded_file);
I guess my question is how PHP is implemented. Does fopen(file,"w") put the file pointer actually at the beginning of the file in memory?

Re: Secure Delete in PHP

Posted: Thu Apr 08, 2010 10:33 am
by VladSun
http://www.php.net/manual/en/function.fopen.php
PHP Manual wrote:mode Description
'r' Open for reading only; place the file pointer at the beginning of the file.
'r+' Open for reading and writing; place the file pointer at the beginning of the file.
'w' Open for writing only; place the file pointer at the beginning of the file and truncate the file to zero length. If the file does not exist, attempt to create it.
'w+' Open for reading and writing; place the file pointer at the beginning of the file and truncate the file to zero length. If the file does not exist, attempt to create it.
'a' Open for writing only; place the file pointer at the end of the file. If the file does not exist, attempt to create it.
'a+' Open for reading and writing; place the file pointer at the end of the file. If the file does not exist, attempt to create it.
'x' Create and open for writing only; place the file pointer at the beginning of the file. If the file already exists, the fopen() call will fail by returning FALSE and generating an error of level E_WARNING. If the file does not exist, attempt to create it. This is equivalent to specifying O_EXCL|O_CREAT flags for the underlying open(2) system call.
'x+' Create and open for reading and writing; place the file pointer at the beginning of the file. If the file already exists, the fopen() call will fail by returning FALSE and generating an error of level E_WARNING. If the file does not exist, attempt to create it. This is equivalent to specifying O_EXCL|O_CREAT flags for the underlying open(2) system call.

Re: Secure Delete in PHP

Posted: Thu Apr 08, 2010 11:29 am
by jasonlfunk
Right. I know that. My question is more low level than that. When PHP truncates the file to zero, I assume it's simply adding a null byte at the beginning of the file, leaving all the data there. I want to write over that data.

Re: Secure Delete in PHP

Posted: Thu Apr 08, 2010 11:39 am
by VladSun
I think it's up to the OS, not PHP itself. Simply use the r+ flag, overwrite the content and delete.

Re: Secure Delete in PHP

Posted: Tue May 11, 2010 3:45 am
by timWebUK
It depends on how efficient the file system being used is. It may just rewrite the block containing the location/length of the file with new physical location on disk of the bytes, leaving the old ones there but 'flagging' them as free. Leaving the filesystem fragmented but working.