I've a basic php script set up on a web server to accept xml files received sent via Http post. So far so good. But I'm wondering about security issues and what other things I would need to be aware of before I could put this live. Has anyone done this beofre and what things I should be aware of?
Basically all I have so far is:
<?php
header('Content-type: text/xml');
if ( $_SERVER['REQUEST_METHOD'] == 'POST' )
{
$postText=file_get_contents('php://input');
$datetime=date('ymdHis');
$xmlfile="myfile" . $datetime . ".xml";
$FileHandle=fopen($xmlfile, 'w') or die("can't open file");
fwrite($FileHandle, $postText);
fclose($FileHandle);
echo
'<?xml version="1.0" encoding="UTF-8"?>
<cXML>
<Response>
<Status code="200" text="OK"&g开发者_运维百科t;OK</Status>
</Response>
</cXML>';
}
?>
which just writes the xml files onto the webserver. What checks would I need to be doing etc?
Thanks,
You should consider:
- Whether you want the files you're writing to be accessible over HTTP. If you don't, you should move them to a directory the web server cannot access.
- This is susceptible to a denial of service attack; an attacker could fill your disk with garbage XML files and make you run out of disk space. You can prevent this by securing the access to your PHP script (if possible), otherwise make a check against the available disk space.
By the way, this would be more memory efficient:
$post = fopen("php://input", "r");
if ($post === false) { ... }
file_put_contents($xmlfile, $post);
You’re not letting the user decide the file’s name. This is good.
The most important problem I see here is that you don’t limit the maximum file size. Without that, users can spam your server and fill up the hard disk, causing it to malfunction.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论