I am using PHP to move an image to a specific directory. It fails if I have /tmp/ with permissions 755 but it doesn't fail if I have it with 777. Since 777 is not secure, is there any other method to do this?
My PHP code is this:
$dir = '/var/www/spectrom.benrosen.org/uploadedimages/';
$file = basename($_FILES['uploadimage']['name']);
$uploadfile = $dir . randomize() . $file;
if (move_uploaded_file($_FILES['uploadimage']['tmp_name'], $uploadfile)) {
exit('{"result": "successful"}');
} else {
exit('{"result": "could not upload image."}');
}
I wouldn't worry about the /tmp folder. Any user should be able to write to it. You shouldn't leave anything sensitive in the tmp folder.
This will also fail depending on the settings of your uploadimages folder. Make the owner of that folder the PHP process. That is system dependent. If running apache it may be controllable through .htaccess but definitely httpd.conf
Garr is right about the /tmp folder. Any way, if you are worried about the folder security please check this http://shapeshed.com/securing_upload_folders_in_php_on_unix_servers/ it explains how to convert the upload folder permission to 755.
Related
this is my code:
$uploaddir = '/temp/';
$uploadfile = $uploaddir.basename($_FILES['file']['name']);
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile))
send_OK();
else
send_error("ERROR - uploading file");
i have tried to upload with ftp_fput, ftp_put, move_uploaded_file, rename, copy and anything i can put my hands on. nothing seems to work.
i can't understand what is the problem since move_uploaded_file returns only true or false and no error code.
help??
Are you sure that the target directory has write permissions for world?ie,the third number in permission representation?
The files uploaded by php are owned by and comes under the group www-data
You can change the ownership by
[sudo] chown -R www-data folder // change owner
[sudo] chown -R www-data:www-data folder // change group and owner
i don't know why
But you have to.
That's what error messages are for.
Do you see any error message when something goes wrong? If not, then you have to check error logs.
Add this line at the top of your code
error_reporting(E_ALL);
and this one, if it's your local (not live) server
ini_set('display_errors',1);
so you'll be able to see errors onscreen
For the file uploads you have to check $_FILES['file']['error']) first. it it's not 0, refer to the manual page for the actual message.
I experienced a similar problem when using move_uploaded_file which would fail to upload particular files with an $_FILES['filename']['error'] code of 0.
It turns out that the name of the file needs to be unique in relation to the destination directory. move_uploaded_file does not know how to handle identical files names.
Have you check the limit of the file size? One of the reason if crashing could be that you are trying to upload a file bigger than the limit in your configuration. Look at the config var "upload_max_filesize" in your php.ini and check the size of the file.
This caught me out too. Be aware of:
move_uploaded_file() is both safe mode and open_basedir aware. However, restrictions are placed only on the destination path as to allow the moving of uploaded files in which filename may conflict with such restrictions. move_uploaded_file() ensures the safety of this operation by allowing only those files uploaded through PHP to be moved.
These settings can cause the upload to fail if you try to move the file outside of your website base directory for example.
In addition to permissions, be sure to check that there is disk space available on your server. If not, move_uploaded_file() will fail with error 0.
Did you try to activate error_reporting?
You should check your php-config if file uploads are allowed.
header("Content-Type:text/html; charset=utf-8");
if ($_FILES['test']['error'] === UPLOAD_ERR_OK){
echo 'filename: ' . $_FILES['test']['name'] . '<br/>';
if (file_exists('upload/' . $_FILES['test']['name']))
{
echo 'file exist<br/>';
}
else
{
$file = $_FILES['test']['tmp_name'];
$dest = 'upload/' . $_FILES['test']['name'];
move_uploaded_file($file, $dest);
echo "seccess";
}
}
else
{
echo 'error codeļ¼' . $_FILES['test']['error'] . '<br/>';
}
This is my PHP code, I'm just trying to upload a simple tiny txt file to my apache server.
It worked when I ran it in localhost, but error code 7 when I tried to run with apache.
chmod -R www-data:www-data /var/www
Already set www-data as the owner of www, disk space is enough to save the file.
Anything I can do to solve error code 7 problem?
Please check the directory has writeable permission. The error says that you don't have permission to save or write in that directory.
Also, check disk space of that directory.
For more details of error code, please see this link:
http://php.net/manual/en/features.file-upload.errors.php
This could also be your temp file is out of space (just happened to me) - this is where the file goes whilst it is being uploaded.
You can find your tmp file destination in your php.ini file under the following value:
upload_tmp_dir
Normally this will clean itself once the file has finished uploading, but in my case one of my admins copied some videos there for safe keeping whilst making some more space, so the symptoms where that I could upload small files but not large ones, it was quite puzzling at first.
This may also happen if your upload file is larger than your temp space - Although I haven't tested this.
I'm trying to upload a file (msword/doc) to a Apache server folder via an HTML form. It works when I test it locally (I'm testing it via MAMP), but when I upload it to a remote server (such as GoDaddy), it doesn't work. It shows "There was a problem with the file upload".
Below is the snippet of code that processes the file upload. I can't figure out what is wrong with my conditional.
// Move the file to the target upload folder
$target = FILE_UPLOADPATH . basename($new_file);
if (move_uploaded_file($_FILES['new_file']['tmp_name'], $target))
{
// The new file move was successful, now make sure any old file is deleted
if (!empty($old_file) && ($old_file != $new_file))
{
#unlink(FILE_UPLOADPATH . $old_file);
}
}
else
{
// The new file move failed, so delete the temporary file and set the error flag
#unlink($_FILES['new_file']['tmp_name']);
echo 'There was a problem with the file upload.' . PHP_EOL;
}
Are you sure that the folder you are uploading to has permission for files to be written to it? If not, use chmod 0777 and test with that.
Does your destination folder have proper permissions? http://en.wikipedia.org/wiki/Chmod The directory write to typically needs 775: What are the proper permissions for an upload folder with PHP/Apache?
Also, do you want users to have direct access to the file? If not you should consider writing the file to a folder that is above your web root directory.
If $_FILES['new_file']['error'] == 0 then the upload isn't the problem, but the call to move_uploaded_file() is. You probably have incorrect permissions on the directory you're trying to move the file to.
For me, I happened to be testing locally with a file under php's upload_max_filesize while testing remotely with a file over upload_max_filesize. See https://stackoverflow.com/a/30359278/3325776 for more info.
I have the following script which works fine locally:
<?php
//Report all errors
error_reporting(E_ALL);
if ($handle = opendir('instance/system/application/images/dir/testimages/')){
while (false !== ($fileName = readdir($handle))){
$newName = str_replace(" ", "_", $fileName);
rename($fileName, $newName);
}
echo "All files have been renamed";
closedir($handle);
}
?>
However when run on the web server I get the following error:
Warning: rename(.,.) [function.rename]: Permission denied in C:\inetpub\vhosts\domain.com\httpdocs\rename.php on line 10
Any idea how I can resolve this?
Cheers
Note:
I am using IIS7 and a windows server.
Couple of things:
In windows, go to the directory where you want to rename files, right click, and look at the permissions for both the folder and the files within. Whatever the process is running the web server needs to have permissions to modify those files, or create new files in the directory.
Secondly, and more subtly - I think the root cause is a bug. In the PHP manual, there's a comment suggesting that rename will put the file in the current working directory unless you specify your full directory path in the "to" argument.
So, if you are trying to rename "c:\instance/system/application/images/dir/testimages/banana pic.jpg" to banana_pic.jpg, your current code will write that to the current working directory - probably the location of php.exe - that will fail.
I'd try to specify the folder in which you want the renamed file to be placed, and see if that works...
Set permission to files You want to rename to 777.
In file manager, like, filezilla, right click on file and set permissions.
Or just google: set permissions to files on server.
You can try through PHP too: http://php.net/manual/en/function.chmod.php
In order to rename or chmod a file, you need to have access to do that. This means that the file should be either owned by the webserver process, or should be with appropriate mods that allow it to be changed by anyone (like 777)
NOTE: This comment is not appropriate for a windows server. I didn't realise this when I commented. This is appropriate for linux, not windows.
You do not have permission to edit the image so need to chmod() the file:
The chmod() function changed the permissions of the file so you can rename it. The "777" means that anyone can (for a millisecond) change, read and execute the file. Then you write it back to "644", so that anyone can read, but only you can change the file. This second step is for security. You don't want files on your server editable and executable by everyone.
<?php
//Report all errors
error_reporting(E_ALL);
if ($handle = opendir('instance/system/application/images/dir/testimages/')){
while (false !== ($fileName = readdir($handle))){
$newName = str_replace(" ", "_", $fileName);
chmod($fileName, 777);
rename($fileName, $newName);
chmod($newName, 644);
}
echo "All files have been renamed";
closedir($handle);
}
?>
I am using the move_uploaded_file function to upload files. The files get moved into the right directory and I see its physical existence, but I can't open them. I get "Access Denied" error. I view the properties of the file and I found that it doesn't have an owner.
By the way, I am running IIS on Windows 2008.
I check the permissions, everything is set up correctly. The user that is running the web service has full admin rights.
Additionally, I replaced the move_uploaded_file function with copy(), and I was able to access the file. It also had the user that is running the server as its owner.
What on earth could possibly be wrong?
Thanks I appreciate your help.
UPDATE:
After the file is moved I tried to set permissions using chmod($filename,0655) but that didn't work either.
UPDATE 2 (solution):
Alright guys, I figured it out.
The system administrator didn't set the upload_tmp_dir.It worked once we added a path.
Source code:
// Check if file was uploaded
if(isset($_FILES['formname']) && $_FILES['formname']['size'] > 8){
$displayName = $_FILES['formname']['name'];
$displayName = unixfilename(basename($displayName));
$tempName = $_FILES['formname']['tmp_name'];
$filename = $_FILES['formname']['name'];
$fileType = substr($filename, strrpos($filename,".")+1);
$filename = substr($filename,0,strrpos($filename,".")) . date("_Ymd_His") . ".$fileType"; // Add unique identifier
$filename = unixfilename(basename($filename));
$destinationPath = "xx\yy\zz\\";
// Check if the file is of a valid type
if($fileType == "txt"){
// Check if file exists in processor folder
if(!file_exists($destinationPath.$filename)){
if(move_uploaded_file($tempName,$destinationPath.$filename)){
if(file_exists($destinationPath.$filename)){
// success
check who is the user who do the upload actually
echo exec('whoami');
In addition to having upload_tmp_dir set in your php.ini file, ensure that the directory you set is writable by PHP.
If you're using the PHP Manager in IIS, it defaults the upload_tmp_dir to C:\Windows\Temp which was not writable by the PHP process by default for me.