warning file() disabled security purposes

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
justlearnin
Forum Newbie
Posts: 3
Joined: Tue Jun 14, 2005 3:40 pm

warning file() disabled security purposes

Post by justlearnin »

justlearning here was playing with a news article script and...
I get this error " warning file() has been disabled for security purposes in my path to public html on line .....

from what i understand this is some setting in php.ini

disable_functions = ini_set, exec, popen, passthru, file, system, shell_exec

if i remove [ file ] from the list above will i put my server at risk and is there a workaround to my prob...(happens on alot of scripts i try)

Also is anything missing i should add to this line...
disable_functions = ini_set, exec, popen, passthru, file, system, shell_exec


thanks in advance from a php noob ....
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

Speaking generally... if your users are not in some sort of sandbox, such as safe mode or phpsuexec, then you would what to disable file system access. This way they can't read files that don't belong to them, such as /etc/passwd.

Would need a lot more info to comment on your situation.

Oh ... and welcome to phpDN.
justlearnin
Forum Newbie
Posts: 3
Joined: Tue Jun 14, 2005 3:40 pm

file() disabled

Post by justlearnin »

Hey thanks for the reply , Im html/css literate but new to php so forgive anything ignorant i might say... I just setup a web server using a preconfigured package referred to as mini-apache [apache2 php5].


First purpose was to set a php locally just so i can make an attempt to learn it ...... I grabed a few simple scripts for reading and writing to a file (txt file), like a news script or something and i kept getting the warning file() has been disable for security reasons.... I figured it had something to do with permissions ...

looked in php.ini and saw file was in the diabled function group.... And i understand if i eventually got users other than myself it could be a prob with passwords and such like you said but untill then can i just yank it out the diabled group in php.ini or is there a better way of doing such a thing(filesystem access)....

Windows/apache2/php5


and thanks for the welcome, i think im over my head with this php stuff and im glad i found this place ... good place to read other people problems/solutions....
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Re: file() disabled

Post by Buddha443556 »

Glade to see you setting up a development server. I think that's a great first step.
justlearnin wrote:untill then can i just yank it out the diabled group in php.ini or is there a better way of doing such a thing(filesystem access)....
Yeah just yank those out of php.ini, those are for a production server.

As for a better way of doing that? Well yeah ... use Linux instead of Windows when you set it up your production server. You'll have many more options with Linux, IMHO.
justlearnin
Forum Newbie
Posts: 3
Joined: Tue Jun 14, 2005 3:40 pm

file() warning

Post by justlearnin »

Great, Now i can play with php and no pesky warning till i get a grip on the language... tanx for the tip...
Post Reply