I am using file_put_contents() function to write the files on server. I have split the file on client side and send chunks on server. using file_put_contents I am writing that content on server side file.
So I worry, is that a secure way to do it?
Since you want to allow files to be written securely.
Make a location outside server root directory.
Something like:
root dir = /htdocs/html/
Data dir = /htdocs/data/
That way the web server does not have direct access to the files.
Related
I have to site on two different servers.
I want to upload a file www.myserver.com/thefile.txt to www.myotherserver.com/thesamefile.txt
Although the easiest way is to download the file to my computer and then upload, I would like to know if I can automate and make the server download it
You could just make the other server access the URL you wrote, www.myserver.com/thefile.txt, and publish it as www.myotherserver.com/thesamefile.txt?
If you have ssh on both servers try to use scp.
`scp file ssh_login#host:/path_to_download/
Or use php ftp_* functions.
The following code fragment should work. Just make sure that the $read_file is the url on the first server and the $write_file the location on your current server, it should not be an url but an absolute location on your server where you should be able to write.
<?php
function copyFile($read_file, $write_file)
{
file_put_contents($write_file, file_get_contents($read_file));
}
?>
You have two options:
Using php ftp support, and upload the file to another server
Create script to myotherserver.com, make post request with file contents and save the contents using php(eg: file_put_contents)
I have a file sort of like this, it's a user database (udb.htm):
user1:pwd1
user2:pwd2
user3:pwd3
something along the lines of that. I would like to secure this file and make it available for PHP via the file_get_contents("udb.htm"); method, but not a browser window. Thanks!
you can:
upload the file in a directory outside the public html directory, but that php has access
block the access to the file using apache .htaccess <Files> or similar
use HTTP Basic Authentication
save your data in an actual database (mysql, mssql, oracle, sqlite)
Put the file outside of the web root. For instance, in the directory that contains public_html. PHP can access it (and any other file on the system), but you can't get to it from the web.
Move the file into a folder still accesible to PHP but not web clients.
What you want to do is put the database below the web path. So for example, if your website is at www.example.com and it points to: /var/www/html
Then you can put your password file into /var/www/password/udb.htm
Then access it from your php script as file_get_contents("../../password/udb.htm")
Your script can access the file, but your web service will not.
This changes the permissions of your file before open, and remove grants when you close the file, be sure about webserver permissions over the file.
<?php
$file = 'udb.htm';
chmod($file, 0600);
$contents = file_get_contents($file);
chmod($file, 0000);
?>
I am making a feature to my site so that users can upload files (any type).
In order to secure the upload form, i made a blacklist of non-accepted filetypes. But in order to assure protection to my server (in case of uploading malicious scripts in any way) i thought to tar the uploaded files (using the tar class) so that they are stored as .tar zipped files.
So if the user wants to donwload it, then he will receive a .tar file.
My question is, is this secure enough? (since the files cannot be executed then).
[I have this reservation as i can see at the code of tar class, the "fread()"]
Thanks!
Two points, here :
Using a blacklist is a bad idea : you will never think to all possible evil filetypes.
Do not store the uploaded files into a public directory of your server :
Store those files to a directory that is not served by Apache, outside of your DocumentRoot.
And use a PHP script (even if Apaches cannot serve the files through HTTP, PHP can read them) to send those files contents to the user who wants to download them.
This will make sure that those uploaded files are never executed.
Of course, make sure your PHP script that sends the content of a file doesn't allow anyone to download any possible file that's on the server...
You can upload the files to an non web accessible location (under your webroot) and then use a download script to download the file.
The best way of handling uploaded files, in my opinion, is to place them in a folder that's not reachable through HTTP. Then when a file is requested, use a PHP file to send then download headers, the use readfile() to send the file to the user. This way, files are never executed.
That might work, assuming that you're users that will download the files can untar them (most non UNIX systems just have zip, I'd give them the option to download either format).
Also, i think its better to create a list of allowed files vs banned files. Its easy to forget to ban a specific type; whereas you will probably have a better idea of what users can upload
Dont block/allow files on extension. Make sure you are using the mime type that the server identifies the file as. This way its hard for them to fake it.
also, store the files in a non web accessible directory and download them through a script.
Even if its a bad file, they won't be able to exploit it if they can't directly access it .
When saving the files make sure you use these functions:
http://php.net/manual/en/function.is-uploaded-file.php
http://php.net/manual/en/function.move-uploaded-file.php
Dan
I have tow servers for my web site. first, for database and php files. the second, for save useres' uploaded files.
So, if I uploade a file in server-1 xxx.com. how could i save it in server-2 yyy.com??
if you want two servers to be exact clones (contianing same files) you can run a rsync script after your first uplaod has completed. Its very easy and best of you don't have to specify files.
Lets say you want to transfer all files in directory /files/ to server2 in directory /files/2/ You can run this :
rsync /files/ yyy.com:~/files/2/
If you ONLY want specific files (extensions) to be synced, you can do this:
rsync /files/*.mp3 yyy.com:~/files/2/
The above will move ONLY MP3.
You can simply upload one file from server 1 to the server 2 using PHP's FTP functions.
See code example here: http://www.jonasjohn.de/snippets/php/ftp-example.htm
Use shared storage (SAN). Or SMB shares if on Windows. Or NFS if on Unix. Or scp (ssh) with public key authentication if on Unix.
An ugly way I used once was to pass via cURL and FTP commands
Of you course, you need to have access to your server-2 FTP...
I have a folder for downloads on my server, i want to prevent direct access to that folder so i am makin it pass-protected with htaccess and i will push download with a php script. But i have some questions regarding mkdir and file_exists
Do mkdir and file_exists works good for pass-protected folders ?
and
would i get any error while uploading file to that folder ?
AND
is this a good way of preventing direct access ?
thanks
As pass-protection only aplies to HTTP connections though your Apache server, every PHP function that can access files will work. And because uploading a file is also only copying a file with PHP from the temp dir to the upload dir, there should be not problem.
Using htaccess is a good method to avoid direct access. But it would be much better to have the uploaded files in a directory which can not be access through any HTTP reuest. So storing it above the httpdocs (or equal) folder will make it totally impossible to access a file through a direct request.
htaccess works fine for simple password protection. As soon as a user has authenticated everything works exactly like for normal folders. It should not affect any php-functions or server side permissions.