I'm trying to run a shell_exec query by pressing a button.
But it does not seem to execute anything. I checked php.ini and it isn't disabled. I'm trying to execute a php file in a different directory
/var/www/html/root/download_handler.php. It doesn't seem to work.
Here's my code. I hope anyone knows what i can do to fix this?
if ($_SERVER['REQUEST_METHOD'] === "POST") {
if (isset($_POST['download'])) {
$site = $_POST['site'];
$wait = $_POST['wait'];
$folder = $_POST['folder'];
$strpos = strpos($site, "http://");
if (empty($site) || empty($wait) || empty($folder)) {
$error = Error::display("Input fields left empty", "alert");
} else {
if ($strpos === false) {
$error = Error::display("Incorrect URL Format. Example: http://example.com/", "alert");
} else {
$username = $_SESSION['username'];
$error = Error::display($site . $wait . $folder . $username, "success");
shell_exec("screen php /var/www/html/download_handler.php download $site $folder $wait $username");
}
}
}
}
?>
Related
I have an 'api' so to speak where I am trying to proxy an api on another server for an App.
The target url is formed like:
http://example.com/live/username/password/filename.mp4
how can I dynamically redirect to that?
here is the php I have so far which grabs the filename and user/password
<?php
if (isset($_GET['username']))
{
$username=$_GET['username'];
$password=$_GET['password'];
}
else if (isset($_POST['username']))
{
$username=$_POST['username'];
$password=$_POST['password'];
}
$action = isset($_GET['action']) ? $_GET['action'] : '';
$db = new SQLite3('./.dns.db');
$res = $db->query('SELECT * FROM dns');
$arr = array();
while ($row = $res->fetchArray(SQLITE3_ASSOC))
{
$arr[] = $row['url'];
foreach ($arr as $value)
{
$api_call = $value.'/player_api.php?username='.$username.'&password='.$password;
$api = json_decode(file_get_contents($api_call), TRUE);
$api2 = json_decode(json_encode($api["user_info"]) ,TRUE) ;
$auth = $api2["auth"];
if ($auth == 1)
{
$dns = $value;
}
}
}
if (isset($_GET['vod_id']) && $_GET['vod_id'] !== "")
{
$vodid = $_GET["vod_id"];
$vodinfo = file_get_contents($dns.'/player_api.php?username='.$username.'&password='.$password.'&action=get_vod_info&vod_id='.$vodid);
echo $vodinfo;
}
else if (isset($_GET['series_id']) && $_GET['series_id'] !== "")
{
$seriesid = $_GET["series_id"];
$seriesinfo = file_get_contents($dns.'/player_api.php?username='.$username.'&password='.$password.'&action=get_series_info&series_id='.$seriesid);
echo $seriesinfo;
}
else if ($action !== "")
{
$get_actions = file_get_contents($dns.'/player_api.php?username='.$username.'&password='.$password.'&action='.$action);
echo $get_actions;
}
else
{
$login = file_get_contents($dns.'/panel_api.php?username='.$username.'&password='.$password);
echo $login;
}
?>
The app will read from the JSON provided and grab the 'filename' and then attempt to go to /live/ on the api host, but this will lead too http://example2.net/live/username/password/filename.mp4
which doesn't exist.
I thought about maybe something in htaccess?
Im trying to provide the App with the http://example.com/live/username/password/filename.mp4
not the
http://example2.net/live/username/password/filename.mp4
(The example2.net is the $dns in the PHP)
Sorry I know this is a bad explanation - hopefully I've explained enough to be able to find an answer.
(1st post)
edit: I have been reading about turing folders in links to querystring where I can point to this
<?php
if (isset($_GET['username']))
{
$username=$_GET['username'];
$password=$_GET['password'];
$streamid=$_GET['streamid'];
}
else if (isset($_POST['username']))
{
$username=$_POST['username'];
$password=$_POST['password'];
$streamid=$_POST['streamid'];
}
header('Location: http://example.com/live/'.$username.'/'.$password.'/'.$streamid);
?>
I just need now to figure out how to use htaccess to turn the requested folder url into a query string from
example2.net/live/username/password/file.mp4 to
example2.net/live.php?username=username&password=password&streamid=streamid.mp4
I ended up using this which worked for .htaccess
RewriteEngine on
RewriteRule ^live\/([^\/]+)\/([^\/]+)\/([^\/]+) /path/to/api/live.php?username=$1&password=$2&streamid=$3 [L]
I tried to upload video filenames and other variables to the database, but the insert statement won't work. Anyway the videofile-name and the thumbnail-filename are both uploaded to the right folders.
I've checked and there's nothing wrong with the sql statement. But why won't it work can anyone tell me?
PHP code
<?php
session_start();
if (isset($_POST['submit'])) {
$videoName = $_POST['videoName'];
$videoDesc = $_POST['description'];
$category = $_POST['category'];
$level = $_POST['level'];
$userId = $_SESSION['userId'];
$videoFile = $_FILES["videoFile"];
$videoFileName = $videoFile['name'];
$videoFileType = $videoFile['type'];
$videoFileTempName = $videoFile['tmp_name'];
$videoFileError = $videoFile['error'];
$videoFileExt = explode(".", $videoFileName);
$videoFileActualExt = strtolower(end($videoFileExt));
$videoAllowed = array("mp4", "mov", "avi");
$thumbFile = $_FILES["thumbnail"];
$thumbFileName = $thumbFile["name"];
$thumbFileType = $thumbFile["type"];
$thumbFileTempName = $thumbFile["tmp_name"];
$thumbFileError = $thumbFile["error"];
$thumbFileExt = explode(".", $thumbFileName);
$thumbFileActualExt = strtolower(end($thumbFileExt));
$thumbAllowed = array("jpg", "jpeg", "png");
if (in_array($videoFileActualExt, $videoAllowed)) {
if(in_array($thumbFileActualExt, $thumbAllowed)) {
if ($videoFileError === 0) {
if ($thumbFileError === 0) {
$videoFullName = $videoFile . "." . uniqid("", true) . "." . $videoFileActualExt;
$videoFileDestination = "../video/" . $videoFullName;
$thumbFullName = $thumbFile . "." . uniqid("", true) . "." . $thumbFileActualExt;
$thumbFileDestination = "../thumbnail/" . $thumbFullName;
include 'dbh.inc.php';
if(empty($videoName) or empty($videoDesc)) {
header("Location: ../uploadVideo.php?upload=empty");
exit();
} else {
move_uploaded_file($videoFileTempName, $videoFileDestination);
move_uploaded_file($thumbFileTempName, $thumbFileDestination);
$sql = "INSERT INTO video (filnavn, thumbnail, videoName, descript, idMusician, categoryName, idLevel) VALUES ('$videoFullName', '$thumbFullName', '$videoName', '$videoDesc', $userId, '$category', $level);";
mysqli_query($conn, $sql);
header("Location: ../uploadVideo.php?upload=success");
exit();
}
} else {
echo "You had a thumbnail error!";
exit();
}
} else {
echo "You had a video error!";
exit();
}
} else {
echo "You need to upload a proper thumbnail file type";
exit();
}
} else {
echo "You need to upload a proper video file type!";
exit();
}
} else {
}
You cannot insert or in this way in the if() condition, you must always use the logical operator as
if(empty($videoName) || empty($videoDesc))
Because of that your execution of code must have stopped at that point.
So I have an admin folder with pages that are supposed to be secured, but one folder I have in there needs to be linked to a file outside of the admin folder.
It looks something like this:
admin folder >
uploads folder
insert.php
index.php
I upload pictures on the insert.php and they get pathed like so:
$base_upload_path = "uploads/";
But I also need them to show up on the index.php page as well. I've tried to include the uploads folder on the index.php page or even direct the path outside of the admin folder but nothing has worked so far.
If anyone could give suggestions I'd very much appreciate it as I'm pretty new to PHP.
insert.php
<?php
include("includes/db.php");
include("includes/validate.php");
include("includes/file_utils.php");
include("includes/image_utils.php");
$result_image = null;
$isPostRequest = false;
$fileErrors = "";
$isValidForm = false;
$base_upload_path = "uploads/";
$successfulImageSave = false;
if ($_SERVER['REQUEST_METHOD'] == "POST") {
$isPostRequest = true;
$id = null;
$img_name = "";
$thumb_name = "";
$title = "";
$description = "";
$img_type = "";
if (isset($_FILES['the_file']) &&
isset($_POST['MAX_FILE_SIZE']) &&
isset($_POST['title']) &&
isset($_POST['description'])) {
$max_upload_size = validate_number($_POST['MAX_FILE_SIZE']);
$title = validate_string($_POST['title']);
$description = validate_string($_POST['description']);
$isValidFile = is_valid_file($_FILES['the_file']);
if ($max_upload_size != false &&
$title != false &&
$description != false &&
$isValidFile != false) {
$isValidForm = true;
} else {
$fileErrors = get_file_error($_FILES['the_file']);
}
if ($isValidForm) {
$fileName = $base_upload_path.$_FILES['the_file']['name'];
$isMoved = move_image_to_upload_folder($_FILES['the_file']['tmp_name'], $fileName);
if ($isMoved) {
$new_file_name = create_thumbnail($fileName, $_FILES['the_file']['type']);
if ($new_file_name != false) {
$successfulImageSave = save_to_database($fileName, $new_file_name, $title, $description, $_FILES['the_file']['type']);
}
}
}
}
}
$images = get_images();
?>
index.php
<?php
include("admin/includes/db.php");
include("admin/includes/validate.php");
include("admin/includes/file_utils.php");
include("admin/includes/image_utils.php");
include("admin/uploads/");
$images = get_images();
$query = "SELECT img_name, thumb_name, title, description, img_type FROM image_gallery;";
$query_result = mysqli_query($db, $query)
?>
I'm getting the error message when uploading a form in php.
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near"
I've followed instructions from other posts as follows, to no avail:
1-Wrapped the column heading names in backticks.
2-Made sure all strings were passed as strings, and ints as ints.
3-Cleaned up any strings before sending out.
4-Made sure the connection to the database works and we can query from it.
5-Checked and re-checked my html code.
Here's my php code:
<?php
include('../config/config.php');
// Redirect browser if the upload form WAS NOT submited.
if (!isset($_POST['submit_upload']))
{
header("location: upload.html");
}
// Continue if the upload form WAS SUBMITED
else
{
// Set the upload directory path
$target_path = realpath( dirname( __FILE__ ) ) . "/uploads/audio/";
// Array to store validation errors
$error_msg = array();
// Validation error flag, if this becomes true we won't upload
$error_flag = false;
// We get the data from the upload form
$filename = $_FILES['file']['name'];
$temp_filename = $_FILES['file']['tmp_name'];
$filesize = $_FILES['file']['size'];
$mimetype = $_FILES['file']['type'];
// Convert all applicable characters to HTML entities
$filename = htmlentities($filename);
$mimetype = htmlentities($mimetype);
// Check for empty file
if ($filename == "")
{
$error_msg[] = 'No file selected!';
$error_flag = true;
}
// Check the mimetype of the file
if ($mimetype != "audio/x-mp3" && $mimetype != "audio/mp3")
{
$error_msg[] = 'The file you are trying to upload does not contain expected data.
Are you sure that the file is an MP3 one?';
$error_flag = true;
}
// Get the file extension, an honest file should have one
$ext = substr(strrchr($filename, '.') , 1);
if ($ext != 'mp3')
{
$error_msg[] = 'The file type or extention you are trying to upload is not allowed!
You can only upload MP3 files to the server!';
$error_flag = true;
}
// Check that the file really is an MP3 file by reading the first few characters of the file
$open = #fopen($_FILES['file']['tmp_name'], 'r');
$read = #fread($open, 3);
#fclose($open);
if ($read != "ID3")
{
$error_msg[] = "The file you are trying to upload does not seem to be an MP3 file.";
$error_flag = true;
}
// Now we check the filesize.
// The file size shouldn't include any other type of character than numbers
if (!is_numeric($filesize))
{
$error_msg[] = 'Bad filesize!';
$error_flag = true;
}
// If it is too big or too small then we reject it
// MP3 files should be at least 1MB and no more than 10 MB
// Check if the file is too large
if ($filesize > 10485760)
{
$error_msg[] = 'The file you are trying to upload is too large!
Please upload a smaller MP3 file';
$error_flag = true;
}
// Check if the file is too small
if ($filesize < 1048600)
{
$error_msg[] = 'The file you are trying to upload is too small!
It is too small to be a valid MP3 file.';
$error_flag = true;
}
// Function to sanitize values received from the form. Prevents SQL injection
function clean($conn, $str)
{
$str = #trim($str);
if (get_magic_quotes_gpc())
{
$str = stripslashes($str);
}
return mysqli_real_escape_string($conn, $str);
}
// Sanitize the POST values
$title = clean($conn, $_POST['title']);
$context = clean($conn, $_POST['context']);
$source = clean($conn, $_POST['source']);
$interviewer = clean($conn, $_POST['interviewer']);
$interviewee = clean($conn, $_POST['interviewee']);
$intervieweeAge = (int)$_POST['intervieweeAge'];
$geoRegion = clean($conn, $_POST['geoRegion']);
$language = clean($conn, $_POST['language']);
$recDate = clean($conn,$_POST['recDate']);
$keywords = $_POST['keywords'];
if ($title == '')
{
$error_msg[] = 'Title is missing';
$error_flag = true;
}
if ($interviewee == '')
{
$error_msg[] = 'Interviewee name/anonymous is missing';
$error_flag = true;
}
// If there are input validations, show errors
if ($error_flag == true)
{
foreach($error_msg as $c => $p) echo "Error " . $c . ": " . $p . "<br />";
}
// Else, all checks are done, move the file.
else
{
if (is_uploaded_file($temp_filename))
{
// Generate an uniqid
$uniqfilename = $interviewee . '_' . str_replace("_", "", $recDate) . '.mp3';
$filePath = '/uploads/audio/' . $uniqfilename;
// If the file was moved, change the filename
if (move_uploaded_file($temp_filename, $target_path . $uniqfilename))
{
// Again check that the file exists in the target path
if (#file_exists($target_path . $uniqfilename))
{
// Assign upload date to a variable
$upload_date = date("Y-m-d");
// Create INSERT query
$qry = "INSERT INTO FDM177_AUDIO_CLIPS (title,context,source,interviewer,interviewee,intervieweeAge,geoRegion,language,recDate,fileName,filePath)
VALUES('$title','$context','$source','$interviewer',$interviewee',$intervieweeAge,'$geoRegion','$language','$recDate','$uniqfilename','$filePath')";
$result = mysqli_query($conn, $qry) or die(mysqli_error($conn));
if ($result)
{
$id = mysqli_insert_id($conn);
echo "File uploaded. Now it is called :" . $uniqfilename . "<br />" . $date . "<br />";
}
else
{
echo "There was an error uploading the file, please try again!";
}
if(1) {
//if (is_array($keywords) || is_object($keywords)) {
foreach($keywords as $k) {
// $idQuery = "SELECT keyword_ID from KEYWORDS WHERE keywordName=" . $k";
$idQuery = mysqli_query($conn, "SELECT * FROM FDM177_KEYWORDS WHERE (`keywordName` LIKE '%".$k."%')") or die(mysql_error());
$matchingKArray = mysqli_fetch_array($idQuery);
$keyword_FK = $matchingKArray[keyword_ID];
// echo $kQuery;
echo $keyword_FK;
$qry = "INSERT INTO FDM177_JNCT_KWDS_CLIPS (keyword_FK, clip_FK)
VALUES ('$keyword_FK', '$id')";
$result = mysqli_query($conn, $qry);
if ($result)
{
echo 'inserted with keyword.' . $k . ' <br />';
}
}
}
else {
echo "keywords are missing";
}
}
}
else {
echo "There was an error uploading the file, please try again!";
}
}
else
{
echo "There was an error uploading the file, please try again!";
}
}
}
?>
The problem occurs at the first MYSQL query that starts as MYSQL query INSERT INTO FDM177_AUDIO_CLIPS...
What am I missing?
Thank you!
quotes breaking in one query '$interviewer',$interviewee',
$qry = "INSERT INTO FDM177_AUDIO_CLIPS
(title, context, source,interviewer, interviewee,
intervieweeAge,geoRegion,language,recDate,fileName,filePath)
VALUES
('$title', '$context', '$source', '$interviewer', '$interviewee',
$intervieweeAge,'$geoRegion','$language','$recDate','$uniqfilename','$filePath')";
I started on an ftp project and I'm having trouble getting the directory to reload. My code says that it successfully changed, but I am assume that it only changes server-side. I need the browser to change the directory as well.
PS: How can I download via FTP through the browser? When I test locally it writes the files to the root directory but when connected remotely I don't know where they go. There is no indication of files being downloaded.
Any help would be greatly appreciated! And please, if you have any tips for me that would be great. I'm still pretty new at this but I'm trying my best.
<?php
session_id('logon');
session_start();
if (isset($_POST['connect']))
{
$_SESSION['port'] = $_POST['port'];
$_SESSION['server'] = $_POST['server'];
$_SESSION['user'] = $_POST['user'];
$_SESSION['password'] = $_POST['password'];
}
$port = $_SESSION['port'];
$server = $_SESSION['server'];
$user = $_SESSION['user'];
$pass = $_SESSION['password'];
$connection = ftp_connect($server)
or die("Couldn't connect!");
$logon = ftp_login($connection,$user,$pass)
or die("Couldn't login!" . $server ."<br>". $port);
$workingDir = ftp_pwd($connection);
echo "You are in $workingDir<br><br>";
$dirList = ftp_nlist($connection, ".");
foreach($dirList as $item)
{
$res = ftp_size($connection, $item);
if ($res != "-1")
{
echo "<a href='?download=$item'>$item</a><br>";
if (isset($_GET['download']))
{
if ($_GET['download'] == $item)
{
include('include/download.php');
}
}
}
else
{
$directory = $item;
echo "<a href='?change=$directory'>$directory</a><br>";
if ($_GET['change'] == $directory)
{
if (ftp_chdir($connection, $directory))
{
echo "Changed to " . ftp_pwd($connection) . "!<br>";
$dirList = ftp_nlist($connection, ".");
header("Refresh:0");
}
else
{
echo "Failed to change to $directory";
}
}
}
}
ini_set('error_reporting', E_ALL);
ftp_quit($connection);
?>
Solved! Added a directory.php file with
$getChange = $_GET['change'];
if (ftp_chdir($connection, $getChange))
{
echo "Changed to " . ftp_pwd($connection) . "!<br>";
$dirList = ftp_nlist($connection, ".");
}
else
{
echo "Failed to change to $getChange";
}
$workingDir = ftp_pwd($connection);
echo "You are in $workingDir<br><br>";
$dirList = ftp_nlist($connection, ".");
foreach($dirList as $item)
{
$res = ftp_size($connection, $item);
if ($res != "-1")
{
echo "<a href='?download=$item'>$item</a><br>";
if (isset($_GET['download']))
{
if ($_GET['download'] == $item)
{
include('include/download.php');
}
}
}
else
{
echo "<a href='directory.php?change=$item'>$item</a><br>";
}
}