Security Mod

[TigerC10]

Greetings, fellow Naruto fan. I don't think that the flock function does what you think it does... It locks a script from being read or written to all together. Until you unlock it. The only reason this function exists is if you're doing large data crunching and don't want anyone else to mess with your data AS you are reading it. It's not for security.

Locking any of the .php files from being read will be disasterous, since that particular page (or backend script) will instantly stop working for everyone except the person that initiated the lock. And until that person unlocks the file, no one else can use it. You'd constantly see "page cannot be found" errors. What you probably had in mind was locking the file, and then unlocking the file automatically after the page is done loading - but in real time if two people loaded that script at the same time one of them would lock the other one out. If you have an intensive script, like if you're updating the search index - or if you have a frequent cron job, your end users will get stopped in their tracks.

Consider if you have two users adding a new post at the same time - if one gets locked out they will see the "page cannot be found" error. Their browser might not be capable of just click "back" to restore the text they had typed (that would be frustrating).

On a public website, no files should be open for writing anyway.




The next biggest problem you have is with the unlock. By default, Apache and IIS run all php scripts as a single user on the server. Anyone viewing a script could execute the unlock function if the unlock condition isn't properly written. Essentially this would make your initial lock worthless. Unless you've customized your apache or IIS such that users have to log into the server with server-level credentials (aka. turned off "anonymous access" to the website) flock is worthless for security.