Whenever someone trying to upload a file, php create a temp file for it on our server. However, if I host the form somewhere else (eg. Server #2), and in Server #1 I reference the form using IFrame, does php generate the temp file in Server #1 ??
Reason behind that: I have a sign-up form which allow people to upload files. Sometimes there are hackers trying to upload infected files to our server. (Which anti-virus caught). However, due to this reason, we are hosting the form somewhere else and referencing the page using an IFrame. I'm just wondering if someone upload an infected file, does server #1 get the infected temp file?
Thank you
php will generate the temporary file (for uploading the file) on the server where the php-upload script is running.
Related
Hi I am wondering if the input field with type "file" is automatically uploading files to the server when there is a file selected by the user.
The thing I want is that a user can select files to submit it and that a PHP FTP connection is established to upload the files.
I am not sure if the browser pre-uploads the files to a temp directory on the server or does it do that only when you hit the submit button?
Because if the file is already uploaded to the server it would be unnecessary to use FTP to upload the file again only to a different location on the server.
Basically what I want to accomplish is something similar to what we transfer does. I believe they are not uploading before the user hits the button.
Can anybody point me in the right direction and provide me with some extra info about this matter. Haven't found the desired information yet.
Thanks in advance.
The file is uploaded only once the form is submitted (in the same HTTP POST request as all other form fields). Why don't you try it, to see yourself?
And you cannot use PHP to upload a file via FTP from a client to a server. That's not possible. PHP runs on the server, it cannot access files on a client's machine. See also:
Upload a local file from application via web server with PHP code to FTP server
PHP uploading file from browser to FTP.
How to run php code embedded in a jpg image by knowing the URL of that image ?
imagine a hacker has uploaded a contaminated jpg with php code to server
Now he wants to execute his php code and he knows the URL of the image too
I know if the image is executed with the php files of the server , php code of the hacker will be executed too
for example the below code of the server will execute the hacker's php code in the image:
<h1>Problem?</h1>
<img src="img1.jpg">
<?php
include "./img1.jpg";
but if I take care of the included files and prevent execution of unknown included files, naturally the hacker's php code will not be executed
(for example with defining a constant in the included files which are supposed to be included and checking that constant in the file which is supposed to include those files)
the question is:
Is there another solution for the hacker to execute his php code in the image when he knows the URL of the image too or not ?
FYI: the images are uploaded with an android app to the server
Thanks in advance
Edit:
This is the structure of the server:
public-html:
It contains B.PHP file which just includes A.PHP file from home folder (non public)
It contains user uploaded images too
Home Folder which is non public:
It contains A.PHP file which will be included by B.PHP file in public-html
It contains some other data too,for example name and phone number of the users
A.PHP is responsible for uploading files to public-html and to home folder too
For example:
Some json data will be uploaded in home folder and some images will be uploaded in public-html area
Is this structure dangerous ?
A proper setup of your NGINX or Apache will prevent this kind of thing when someone accesses the image by the URL. All files on server have particular type, and it distinguishes which ones will be run, and which ones will be returned to the user. That's what file handlers are configured for in the Apache configuration so that it knows that it ONLY has to run files with php/php5/php7 extensions.
Reading contents from the file somewhere on the server is no different than from a local directory. Doing include on it WILL NOT RUN the file ON THE SERVER, for the exception if the coder doing the inclusion is also on that same server. In this case attacker already managed to create a PHP file on the server, and it doesn't make difference where the rest of the code is stored - locally or remotely in some obscure file.
The other case is when attacker manages to replace a file in the known directory on the server, yet again if it's not with php extension it won't be run since proper developers will not be storing PHP code in a file with JPG extension.
I am trying to read and write a remote a file to the user's browser through CodeIgniter(FTP Class). That is, I want user to read the file edit the content and save it back.
One way will be
- download the file to my server
- read the file and echo to the user(Browser)
- Save the content of the file to local copy(My server)
- upload the file back to the server
But I don't want to download the file to my server I just want to read and write to remote file
You can write it to the temporary file and after displaying just delete it using unlink() function in the same script. Just call it straight after echoing the content. The file will be present on your server for a really short period of time. FTP is used to upload files, but not for editing them remotely. Any FTP client supporting file edit is actually saving it to the temp folder on your computer and after the edit uploads it back to the server.
For image upload we use FILE html controller.
How this html controller able to browse in the local system?
After selecting a file , it will be copied and moved to server location.
If the php is ale to copy the local file and move to server , will it be able to do any other manipulations of that file ? like delete!
What is happening actually on file upload?
The HTML control is provided by the browser. The browser is a local application and has access to the user's file system. The file's contents are sent to the receiving script by the browser using standard methods.
PHP has no access to the user's file system at any point, just the copy provided by the browser. Deleting or even reading files on the user's file system is not possible.
Actually php is not accessing local system. After you choose a file and click upload at upload form. The whole file(not location) is sent via POST request. And php just recieves that POST request with the whole file, and stores at server.
I have a PHP web-application that allows users to upload images to my web site. I'm doing this using a simply HTML <form enctype="multipart/form-data">
However, instead of having those images uploaded to my web server - I would to have those images uploaded directly to my CDN (Cachefly - which is another server).
Is this possible ... to have a web-application allow a user to upload images directly to another server?
In case it helps, here's my PHP code:
$target_path = "/home/www/example.com/uploads/";
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
// file has been uploaded **LOCALLY**
// HOWEVER, instead of it being upload locally, I would like the file
// to be directly uploaded to the CDN ('other' server)
...
} else{
// error: file did not get uploaded correctly
....
}
i think in case of a CDN ... u will first have to receive files on ur server and then using the CDN API upload to their 'bucket'. i dont think u can upload directly to a CDN unless there is a way to map it as a directory on ur server.
Moving / Uploading a file to a service or for you non-direct-accesable server is usually done by using the provider's API
Moving / Uploading a file to a server 'owned' by yourself can be done by using PHP + FTP extensions (for more information: pear.php.net or pecl.php.net)
Moving / Uploading a file to a server 'owned' by yourself and being one of many in a cluster is usually done by uploading the file temporary on 1 server and afterwards a .sh, .bash or whatever is called which activates further transfer processes to another server.
I don't think it's possible to directly upload to another server, but I could be wrong. I had a similar problem, and I used PHP's FTP capabilities (http://us3.php.net/manual/en/book.ftp.php). I still used my server as a middle-man, meaning I uploaded the files to my server, then FTP transferred them to the target server, and then deleted the file from my server.
You could recieve it on your webserver and then transfer it to the CDN via fileshare or FTP.
If the CDN is web-facing, you could re-direct the request to that server and send control back to your webserver form once the file is uploaded. It's probably better to do the file transfer in the back end though and keep the user connected to the web server.
Sure.
Somewhere in your code there is a "$target_directory" variable that needs to be set. It won't be called that, but depeding on how your function is set up it needs to be there -somewhere-. Just use an absolute path for the directory you want the files to land in. Also, make sure that directory is CHMOD'd to 777 so it can be written into.
Post your code and I can help more.
Yes amazon web services already allows you to upload to amazon S3 directly from the user's browser:
Documentation: http://doc.s3.amazonaws.com/proposals/post.html
Additionally that S3 bucket can be exposed via the amazon CDN (or any other cdn that can point to a customer's origin server)