Not sure I understand how you concluded that web server should not create files, it certainly should not be able to create files on client machines without permission of user (which it cannot do). Users should not be able to upload files to the server without the permission of the web application, but if a web application performs the upload and controls where the file goes and what is in the file, that would be safe. If the web application completely controls where temporary files go and what goes in them (variables) then how is that unsafe?
On the subject of using the database, check out which environment variables that actually control session management (you can do this by running the phpinfo() function. There are two major configuration options which you have full control over; 1. If the sys admin controls the "default" configuration of where to write the session data (usually points to /tmp directory), then the session_set_save_handler function is your way to override those parameters. 2. In fact if you read the routine that performs garbage collection (deletes expired session data) session management will pass to that routine the parameter that controls the default lifetime from the sysadmin's setup data, which you as the writer of the routine are free to ignore and use your own. Only caveat is you need to include these routines in every page that records data to a session (no big deal). I wish you luck on this, you seem to have been advised on some rules, by people who didn't know what they were talking about, or perhaps you understood their recommendations out of context, and that makes it hard for you. I really think session management is the way to resolve your problem. It would be interesting for you to get a couple of opinions on the subject of creating files on a server. You could create routines that would write to physical files in these save_handler functions and put them in your user directory if you like, but I would not mix these files in the same directory as your application code, perhaps a sub directory. I would be willing to bet there are log files that are updated on your server every time someone accesses one of your web pages. Good luck, Warren Vail -----Original Message----- From: Chris Kay [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 27, 2002 12:36 AM To: 'Warren Vail' Cc: [EMAIL PROTECTED] Subject: RE: [PHP] Writing to files I know I can do this with sessions, reason I am asking is webserver should not be able to create file (for security reasons), I would of maybe thought php could create a file as a different user. php is not always used by the box owner. I find it strange that such a option Is only available if you run the box or the webserver is run as that user. Sessions and such need configurations that need to be configured by the server admin Ect.... I was hoping there was a way that didn't rely on a special configuration And stayed in the users directory ------- Chris Kay, Eleet Internet Services [EMAIL PROTECTED] ------- -----Original Message----- From: Warren Vail [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 27 February 2002 6:51 PM To: Chris Kay Subject: RE: [PHP] Writing to files Suggest you understand how session management works. Whether you store in a file or database, the entries are removed if the user fails to return after a limit amount of time, and are kept in a separate table in the database. You can post the results to your actual data tables when you are completed. If you don't want to store the data in files, or in a database, what did you have in mind? There is no rule that says you can only store permanent data in a data base. -----Original Message----- From: Chris Kay [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 11:43 PM To: 'Warren Vail'; [EMAIL PROTECTED] Subject: RE: [PHP] Writing to files The data will be stored in mysql, but I don't wish to store in sql untill its completed. In case a user leave the application before completing it. ------- Chris Kay, Eleet Internet Services [EMAIL PROTECTED] ------- -----Original Message----- From: Warren Vail [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 27 February 2002 6:37 PM To: Chris Kay; [EMAIL PROTECTED] Subject: RE: [PHP] Writing to files What you are describing is exactly how session management works, storing things in a file in the /tmp directory. Perhaps you could consider using the session save handler functions to store the session data in your protected database (MySQL?). Warren Vail -----Original Message----- From: Chris Kay [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 26, 2002 11:19 PM To: [EMAIL PROTECTED] Subject: [PHP] Writing to files Question I have is, Anyway know of a better way to store temp information? I have a problem that a script I use, uses many pages and after each page the information from the form Is stored and the next page is shown ect.... It uses more than 20 variables so I can not store the data in cookies. I could store the data in a temp file created but problem is that the webserver would need to create The file which is a security risk (I would like to find another way other than this). I don't really want to use sessions but if it's the last resort I guess I will have to. Other than the above any one have a better soluition? Running php 4.1.1 on RH7.2 ------- Chris Kay, Eleet Internet Services [EMAIL PROTECTED] ------- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
