I'm downloading files from a remote ftp location using php ftp_get() function. Downloading and saving the file is done perfectly, but the file is saved on the local server with different user rights.
Looking at the files, all files uploaded by FTP get the user of the site profile. But files downloaded by a script (executed through a browser) get the user apache.
So at a later stage, a cronjob, who is a different user (site user) can't access these files. Because it has no permission.
So how could u I save the file using ftp_get() with the correct user and group?
Maybe change file permissions using
http://php.net/manual/en/function.chown.php
and
http://php.net/manual/en/function.chmod.php
Related
I understand the security flaw in the following situation:
User uploads filemanager.php and my script moves it to the web accessible uploads folder. User then visits http://example.com/uploads/filemanager.php and has access to my files.
However, if the uploads folder is stored outside of the publicly accessible web folder (i.e. /var/uploads) and the files are never served directly, is it safe to allow any file?
For example to download, the user would go to http://example.com/download.php?id=123 and PHP would look up the file location assosciated with the ID, then directly output the contents of the file as a download (setting headers to force a download and then using readfile())
I understand that viruses could be uploaded, etc. but would the server itself be protected from dangerous files this way?
I having a problem which when files are uploaded to there folder with PHP they don't have any permissions to then view them on my website.
I'm using IIS and the IIS permission doesn't get set when the folder has the correct permissions.
Because what I'm doing it uploading the file location to my database then using that to display it on page if i change the file permissions it works fine but i would have to do this every time something is uploaded to my server.
Thanks,
I've got the following situation: I have some files with hashed filename on a cdn. Now I want a php script which redirects to the files (download) and give them another name. Is there a way without using readfile? The problem with readfile is that it doesn't make sense to download the file from cdn to my webserver and then download the file from the webserver to local computer.
I only want the zip file to be available once after a user purchases it, and it can only be downloaded once
The file is outside public_html, it isn't publicly available, but I can't figure how to send the file to the browser.
Using this guide: Idiot-proof, cross-browser force download in PHP how can I get it to work with non-public access to the zip file? I tried setting the path to the file, but it didn't work. (I tested it with a browser accessible path and it did work)
As for the other concern, only allowing it to be downloaded once, I am doing the following:
user accesses the unique download page
checks to see if the product was already downloaded
updates mySQL saying that it has been downloaded
send headers to download the file
You can copy zip file to an specified location when user registers. The new name of zip file should be with username so that it can be unique. Once user has downloaded you can delete the file. As the file has been copied once in registration the copying process event wont occur again.
On registration :
copy($main_copy, "/download/balh_".$username.".zip");
Post download :
unlink("/download/balh_".$username.".zip");
I'm running PHP 5.2.6 on a Windows Server 2003 Enterprise box. IIS is set to deny anonymous access and use Integrated Windows authentication.
I'm using a PHP script to save a file uploaded from a web form. The file is uploaded to a temp folder, the script creates a file name and path depending on other variables from the web form, and then the script uses PHP's move_uploaded_file() to move the temp file to the final location. All that works fine. In short, people are uploading files so everyone in the group can see them and the files are organized by the script.
My problem is that the file in the final location has odd permissions. It is not ending up with permissions from either the temp location or the final location. Both the temp location and final location have the same permissions: full rights for owner and administrations; read and read/execute for 2 specific AD security groups. The final file ends up with only: full rights for owner and administrations. So while the admins and the original uploader have no problem viewing the file, all others in the group get "permission denied" when trying to access it.
Any ideas or suggestions will be greatly appreciated! Thanks!
from the php page on move_uploaded_file (nb: this worked for me):
For those using PHP on Windows and IIS, you SHOULD set the "upload_tmp_dir" value in php.ini to some directory around where your websites directory is, create that directory, and then set the same permissions on it that you have set for your websites directory. Otherwise, when you upload a file and it goes into C:\WINDOWS\Temp, then you move it to your website directory, its permissions will NOT be set correctly. This will cause you problems if you then want to manipulate that file with something like ImageMagick's convert utility.
This seems to be an issue with the move_uploaded_file() function:
http://us3.php.net/move_uploaded_file
Take a look at the comments below, take note of Florian's comment about copy().
Would copy() solve the issue?:
http://us3.php.net/manual/en/function.copy.php