0

After having read this and this (and a million others) I am confused!

I wonder if its possible to make a php script (or javascript) that will run once a user loads a page (on chrome or firefox) and that will create/write a file and send it in the users machine (i.e. client) but without requiring any user input and without the user noticing it!

Note: Im not doing anything illegal here I just need to do a security assessment of the sandboxing and whether it allows such a thing or not!

Thanks -- Michael

Community
  • 1
  • 1
mixkat
  • 3,883
  • 10
  • 40
  • 58
  • Any browser does this if it has some kind of cache. But I guess you are not interested in temporary files in some tmp-dirs. what are you trying to do with this file on the user's machine? maybe you are interested in html5's web cache. – Basti Mar 01 '12 at 14:37
  • @Basti Thanks for the reply! I havent actually implemented anything! I m just wondering if for example the browser would allow you to create a .txt file in say the desktop of the client! – mixkat Mar 01 '12 at 14:43
  • 1
    the question is still what are you trying to do with the file on the user's machine? maybe we can provide a different solution that matches your needs and does not violate security assertions. – Basti Mar 01 '12 at 14:45
  • @Basti No thats exactly the point! Im trying to find if its possible to bypass the security of the browser in that way! cause obviously this would be a major flaw! If say you could create a batch file you could make it do whatever harmfull thing you wanted it to do! But can you create a batch file without any user input? Note that i dont care that much about the general security (i.e. if an antivirus would find it or block it).Im only considering machines that dont have any "extra" protection and rely only on the browsers sandboxing! – mixkat Mar 01 '12 at 14:53

1 Answers1

1

This is not possible

Edit for some more background:

If you think PHP has access to the browser, or can do stuff there, it means you have a fundamental lack of understanding how PHP/HTML/JS and browsers & servers interact.

So first try to understand why a browser does not understand PHP, and doesn't even know PHP runs on a server. This is very important if you want to understand anything of web development.

Javascript is simpler to explain.. Javascript works with various functions, objects and API's that allow you to do 'stuff' in the browser. There is simply no API in javascript to access the filesystem (and for good reason).

Now go and buy a PHP book!

Evert
  • 93,428
  • 18
  • 118
  • 189
  • 1
    you can't do anything with PHP on the client side because PHP is executed on the server. you can't create arbitrary files on the user's machine using javascript because it would be a HUGE security risk and nobody would want some random website to be able to mess with your files. – Basti Mar 01 '12 at 14:43
  • 1
    @Evert Apparently I wasnt very clear in my question! No need of being rude tho mate! I know that php runs on the server and obviously you can create and write into files with it but the question is whether those files that you create can somehow be passed to other side without the user doing anything or the browser understanding/showing it! In other words if you can pass those files to the user in a stealth way as soon as the user loads a page. Regarding js the second link that i ve included in my post seems to have a similar example but a user can definitely see the download! – mixkat Mar 01 '12 at 15:23
  • Sorry, I didn't realize this may have come across rude, it was meant in good fun. Simply put then, there's no API for it and there's a really good reason for it. What else do you really need to know? You know why it's not allowed as well (security). Not much more to expand on this – Evert Mar 01 '12 at 18:14
  • @Evert Yeah..no thats fair enough!And quite as expected actually!I'm just working on a coursework and I wanted to be sure about this! Thanks! – mixkat Mar 01 '12 at 21:02
  • 1
    Glad I could help, sorry again for coming across short – Evert Mar 01 '12 at 22:44