I am uploading an image and storing the image path in database. Coding for this is as below
<?php
if( move_uploaded_file( $_FILES[$objName]['tmp_name'], trim($this->upload_path.$img_name_str )) ) {
$fNames[] = $img_name_str;
chmod(trim($this->upload_path.$img_name_str ), 777);
}
?>
Image uploaded into folder correctly. But the problem is permission for the image is set as 01411 even though I set folder permission as 777. This causes I am unable to show the image in front end. Please advice.
I am facing this issue only in server.
From php.net
Note:
The current user is the user under which PHP runs. It is probably not
the same user you use for normal shell or FTP access. The mode can be
changed only by user who owns the file on most systems.
Note:
This function will not work on remote files as the file to be examined
must be accessible via the server's filesystem.
Note:
When safe mode is enabled, PHP checks whether the files or directories
you are about to operate on have the same UID (owner) as the script
that is being executed. In addition, you cannot set the SUID, SGID and
sticky bits.
Related
I have written simple PHP code to upload image file. Images are uploading successfully.
Here is my code,
mkdir("uploaded images", 0777, true);
move_uploaded_file($sourcePath,$targetPathNew);
but when i download that image, it shows me
Response: 550 Access is denied.
Error: Critical file transfer error
Thanks
This is due to permissions of the file. The uploaded file is owned by a web server user (such as www-data) and your FTP server runs under different user. While you change permissions on the folder to 0777 (allow everything to everyone), the file doesn't inherit the same permissions.
To fix this, you probably can add chmod($targetPathNew, 0777) in your code after the move_uploaded_file(...).
There is a chance though that this won't work due to some stricter server configuration. I'm not going to dive into this as judging by your question you're not very familiar with the Linux permissions (sorry if I'm wrong). You can find some essential information about permissions here, for example - https://www.tutorialspoint.com/unix/unix-file-permission.htm
I've tried to look around for some tricks on how I can do this safely, without executing the code.
Does the code get executed if i simply upload it to the file system, then leave it be until someone downloads it?
Or is this a potential threat aswell?
What I am trying to do is making the users able to upload their CV in pdf files. The administrator can then download this pdf file (not being viewed on server, but downloaded).
How should I do this to prevent malicious files from being executed on my server? Also, would it be risky to place this folder OUTSIDE the public_html folder?
There's not a lot of risk to upload .pdf in a folder.
the folder must be in 644 (chmod). and have a index.php with redirect to the index of the website
Inside or outsite the "public_html" .. it's not a problem
when you upload, you can check the extension (.pdf) and type mime:
with finfo_file (http://php.net/manual/en/function.finfo-file.php )
and
with $extension = substr($file, -3);
That depends on how your server is set. If it allows PDF files to be used as executable, or to be opened with particular application/processing script that could be used for malicious actions. Otherwise you have to follow simple instructions such as restriction of file name length and avoiding to perform read operation of that file. As I understand you need only to upload and safe them. I'd keep them in public_html and once uploaded correctly (you checked filesize, extension etc) moved them whenever you like.
I am building a upload feature on my project.I have done other validation on exist,size and type but there were some little more validation needed.I found out mime validation where no matter what file extension a user upload it checks the real file type.Below code did that work for me.Now whenever a user try to upload .php file as a .png/jpg/jpeg or any other fake extension name my code catches as malicious file type.But I have a question that when a user upload a file at first it goes on temporary directory.Is that temporary directory is used from client pc or from our server?If its from our server then will that malicious fake extension file can be dangerous for us or not?
$imageInfo = getimagesize($_FILES['file']['tmp_name']);
if ($imageInfo['mime'] == ("image/png") || $imageInfo['mime'] == ("image/jpeg")
|| $imageInfo['mime'] == ("image/jpg")) {
From the manual:
Files will, by default be stored in the server's default temporary directory, unless another location has been given with the upload_tmp_dir directive in php.ini. The server's default directory can be changed by setting the environment variable TMPDIR in the environment in which PHP runs.
The file will be deleted from the temporary directory at the end of the request if it has not been moved away or renamed.
Unless you do something intentionally stupid like run files found within that temporary directory, or cause them to be run, you're fine. It's not dangerous for a file to simply exist for a short period of time only to be deleted.
the temp directory is from your server, and it is possible to execute files in the temp directory, so you can run the sys_get_temp_dir() so you can know the location of the temp directory and change the permission to Read and Write only.
first get extension then use extension in if condition like this :
$extension = image_type_to_extension($imageInfo[2]);
I've a problem with jQuery uploadify script and I didn't found any solution.
I've integrated this script on my project and everything is working fine on a Windows server(localhost) but when I try to run it on an UNIX server and I/O error is risen.
This only happens when I try to upload a file that already exists on uploading folder. On Windows the file is overwritten but a UNIX I get and I/O error.
Please if you have any solutions I'll be very grateful.
Here is the server side code which I think is the problem(PHP code):
if (!empty($_FILES)) {
$tempFile = $_FILES['Filedata']['tmp_name'];
$targetPath = $_SERVER['DOCUMENT_ROOT'].$_REQUEST['folder'].'/';
$targetFile = str_replace('//', '/', $targetPath).$_FILES['Filedata']['name'];
if (file_exists($targetFile)) unlink($targetFile);
copy($tempFile, $targetFile);
echo "1";
}
First few things to check:
Which user owns the file that exists?
Which user owns the directory that the file is in?
Which user is running your PHP script?
What are the permissions on the file itself?
What are the permissions on the directory that the file is in?
The reason I ask these questions is because it may be a simple permissions problem. The user running the unlink and file create of the target file will need write access to the directory. It's possible that the user that's running the script is not the one that owns the directory or file, in which case you may have to open up the permissions a bit.
Of course, that's just conjecture on my part but that's the first thing I'd be looking for.
First of all, you should use move_uploaded_file instead of a copy.
But most likely your problem is due to a permissions problem. Can you upload any file to the folder? Have you checked that the files already in the folder (those you want to overwrite) have the same permissions as a newly uploaded one? My guess would be that you copied the files to the folder using (S)FTP and that they have a different owner/permissions so you can't overwrite them.
In addition to the possible permissions issues mentioned by paxdiablo and wimvds, also check the case of your filename & path. Unlike windows, unix filesystems are case-sensitive.
I'm running PHP 5.2.6 on a Windows Server 2003 Enterprise box. IIS is set to deny anonymous access and use Integrated Windows authentication.
I'm using a PHP script to save a file uploaded from a web form. The file is uploaded to a temp folder, the script creates a file name and path depending on other variables from the web form, and then the script uses PHP's move_uploaded_file() to move the temp file to the final location. All that works fine. In short, people are uploading files so everyone in the group can see them and the files are organized by the script.
My problem is that the file in the final location has odd permissions. It is not ending up with permissions from either the temp location or the final location. Both the temp location and final location have the same permissions: full rights for owner and administrations; read and read/execute for 2 specific AD security groups. The final file ends up with only: full rights for owner and administrations. So while the admins and the original uploader have no problem viewing the file, all others in the group get "permission denied" when trying to access it.
Any ideas or suggestions will be greatly appreciated! Thanks!
from the php page on move_uploaded_file (nb: this worked for me):
For those using PHP on Windows and IIS, you SHOULD set the "upload_tmp_dir" value in php.ini to some directory around where your websites directory is, create that directory, and then set the same permissions on it that you have set for your websites directory. Otherwise, when you upload a file and it goes into C:\WINDOWS\Temp, then you move it to your website directory, its permissions will NOT be set correctly. This will cause you problems if you then want to manipulate that file with something like ImageMagick's convert utility.
This seems to be an issue with the move_uploaded_file() function:
http://us3.php.net/move_uploaded_file
Take a look at the comments below, take note of Florian's comment about copy().
Would copy() solve the issue?:
http://us3.php.net/manual/en/function.copy.php