Saturday, July 4, 2009

Using include() in caching

Caching in a dynamically generated website is a great trick to speed things up. Can you imagine if 5000 users come to your web page at the same time, and you have to grab data from the database, manipulate, validate then output the data 5000 times? That'd take a great load of time.

Instead, when using caching, the server load will be greatly reduced and thus speeding things up. The 5000 users come to your webpage at the same time, only the first user grabs data from the database, manipulate, validate, output then save the output. The following 4999 users just have to grab the output from the cache and that's it!

I was working on the caching module of Samstyle PHP Framework today. Googling around, I discovered that many examples on PHP output caching out there on the web uses include() to retrieve and display data from the cache.

Some articles are:

This is very dangerous. Any executable PHP code in the cached file will also be executed as you are using an include(). Malicious code may be injected into the cache by exploiting this security leak.

For example if you are doing a search page. And the user is able to enter some search keywords into the box. He/she hits enter and the query is run. When you are displaying the result, you also display what the user has searched for. So the query is displayed.

Everything is cached - including the query that the user has entered. Think about it, what if the user had entered PHP codes into the query box and hit enter. Then he/she refreshes the page - the code gets executed!

The user can then use unlink() to delete all the files on your server and so on.

Instead of using include() for reading cache file, you could have directly used readfile(), which reads the file and writes directly to output buffer. This means that no code will be executed in the cache file on the server.

No comments: