I'm having a problem when I try to open files that were generated by my CMS on my windows machine. It has an upload function that saves the file on a given location (it is on my user folder, where I'm supposed to have all the write and read permissions).
All I can see in that folder is a generic thumbnail, the ones generated by windows for each image type, PNGs and JPEGs in this case. I tried to change de image permissions and set it to the current computer user but it doesn't work. And I'm unable to move these files to another location (upload them to the server via FTP).
I wonder if there is a way to change this behavior.
One thing I noticed is that if I copy and paste those files, I can see its contents normally. I know I can do that to each of them and rename, but there are dozens of images in that folder... don't wanna do the same thing everytime I upload a new image.
Update
This is happening only to the images that were moved (I'm using php's move_uploaded_file function, btw), not to the ones that where generated (croped, resized and so on).
It`s happening because Windows keep file permissions of TEMP folder (usually c:/windows/temp) when moving a file.
To prevent it you need to change "upload_tmp_dir" in "php.ini" to your server directory or set wide permissions to your windows temp folder.
You probably have an error in some php file which is preventing the image from being displayed correctly.
What i would do in order to detect the problem is to comment out the header() calls in the php file responsible for displaying the image and see if there is any output other than the image data.
Inspect the whole output, it only takes a character to break everything, so check if there are no blank lines at the top or bottom of the output. And in case you have an error log, consult that, it will help you trace the problem quickly.
When i have this problem, it's usually a notice or a warning showing up during the process of the image generation, and if you haven't disabled errors from being output to the screen, the notice text will be considered as part of the image data which makes the browser unable to interpret your image.
If you'd like i can take a look closely for you but i would need to see what you are doing in that php file to be able to tell you for sure.
Related
I have a site for media conversion where users can upload video, audio or image files and it is converted in to 3 popular formats. Conversion script works fine but I am having some issues with the tmp directory where the files get uploaded to. I have tried 2 scenarios I am fine with either but neither works and it seems to me to be permissions related but I can seem to fix the problem.
I am working locally right now while I work out the kinks.
Scenario 1:
File is uploaded to default local tmp directory (C:\WINDOWS\tmp) - works fine
Attempt to run conversion script using tmp file that was uploaded and it doesn't work - run from command line works perfectly fine though
Scenario 2:
File is uploaded to directory I have given IIS_IUSRS full control of (for testing) and file won't upload - yes the directory is spelt correctly (I changed the upload_tmp_dir value in php.ini)
Both the site the javascript that send the XMLHttpRequest to the PHP file, as well as the site the PHP file itself reside on are IIS sites so I assume the script is being run as IIS_IUSRS.
EDIT: Temp file is no longer being created at all for Scenario 1, can't figure out why I am assuming playing with permission messed something up because the code hasn't changed. I've given Modify to IIS_USRS and USERS to try and get it working again but no luck :( although the error log is still writing to the same folder...weird
NOTE: The "tmp_name" value of the $_FILES variable I am sending still has a value of "C:\WINDOWS\Temp\'filename'" but the file is not there
EDIT: Another new development, it appears it is NOT a permissions issue because I can create a temp file via $temp_file = tempnam(sys_get_temp_dir(), 'Test'); however it obviously does not contain the uploaded data so it does not solve my problem
PHP is ignoring the upload_tmp_dir because of one setting on APPLICATION POOLS.
It's not php-cgi.exe nor php.ini or a permissions issue.
Go to the application pool of the website experiencing the issue:
1. right click
2. select advanced settings
3. scroll to LOAD USER PROFILE and set it to FALSE.
that did the trick for me.
This is less of a problem solved and more of a workaround. The issue seems to be something with the
$_FILES['file']['tmp_name'];
When I echo the contents it looks as I expect however no file appears. So rather than taking advantage of that process that happens naturally, I have had to take a manual approach. What I have done is the following:
create a temp file
$temp_file = tempnam(ini_get('upload_tmp_dir'), 'php');
then add the content from the temp file created during the $_POST request. (which some how are in the $_FILES variable even though the file is not when I look in the directory)
file_put_contents($temp_file, file_get_contents($_FILES['file']['tmp_name']));
the I have my temporary file for processing.
I went to edit this PHP file - it's supposed to generate those captcha security images on contact forms - the images werent working, so I was going to see if there was a broken path or something i could fix simply.
But when I opened the file it looked like this:
http://mydomainsample.com/explosion/screenshots/Screen%20Shot%202012-05-17%20at%209.34.14%20AM.png
complete gibberish.
Is it possible this happened somehow while downloading the file from the server? I did not have ftp access to the site originally - we got control of the domain and transferred it from one host to another.
I used site sucker to backup the site before transferring, but it downloads php files as html files. you end up with filename.php.html.
in the past this has never turned the php into incomprehensible gibberish, so i dont understand why it did now.
The problem is, you cannot use programs like "site sucker" to get PHP files. This is because when you get a PHP file from a URL, the file is executed, and you're getting the output of the script. That's why you get .php.html.
It doesn't "turn the php into incomprehensible gibberish", the server runs the script and you're getting the output. Most of the time the output is HTML, which you can open as text. In this case, the script's output is a PNG file, thus why you see "gibberish". Rename the file to .png, then you'll see the image.
You need to get FTP access in order to get the PHP source.
That's a PNG image, not PHP source code.
The file actually looks like a PNG image, maybe you just downloaded output the PHP script has generated?
In my site, i have created functionality to upload MS-Word Document.
and i'm moving that file using following PHP function
move_uploaded_file($_FILES['upload_file']['tmp_name'],$path);
I just want to know What happens if file(word document) is open while uploading it?
does it create any problem or generate any error?
Depends on how Word behaves. If it is in the middle of a write, then you'll either get a corrupted file or the OS will make the browser wait before uploading it. But this is a rare occurrence.
If the document is open, but Word is not currently writing you will either get an old version of the file, or a semi-saved corrupted state.
Best not risk it, and tell the user to close the file first.
Text editors don't have any hold over files they have open - they load them into memory, then save them back out when you hit save. So no, there will be no problem if a file is open when it is being uploaded. I wouldn't worry about mid-upload saves either (re: #Joe) - trust the browser and OS to sort that out for you. In theory, any file could be modified during an upload, but in practice, doesn't happen.
So I am running xampp and wordpress. I have an image uploaded to the uploads directory named "avatar.jpeg". It displays just fine. But when I delete it and upload a new image file named "avatar.jpeg", the server doesn't reflect the change and just shows the old file. But when I open the file in Eclipse or my explorer, then the server starts showing the change and displays the new image.
This is probably something basic which I never learned about. I tried chmod to set the file permissions on the new file but that didn't help.
The file will be cached in your browser. To force a reload, append an arbitrary variable to your file, e.g. <img src="yourfile.jpg?1234567" />
I also guess it's a caching issue like freddy K. does.
I would suggest to configure ETags on your Server.
Simply appending something to the URL may only help you when the appended string is changing on every update of the requested file(using the current timestamp or similar all the time will force the client to download the file on every request and slow down the page).
http://httpd.apache.org/docs/2.0/mod/core.html#fileetag
I am trying to secure my PHP Image upload script and the last hurdle I have to jump is making it so that users cannot directly excecute the images, but the server can still serve them in web pages. I tried changing ownership and permissions of the folders to no avail, so I am trying to store the images above public_html and display them in pages that are stored in public_html.
My File Structure:
- userimages
image.jpg
image2.jpg
- public_html
filetoserveimage.html
I tried linking to an image in the userimages folder like this:
<img src="../userimages/image.jpg">
But it does not work. Is there something I am missing here? If you have any better suggestions please let me know. I am trying to keep public users from executing potentially dangerous files they may have uploaded. Just as an extra security measure. Thanks!
You want something that's basically impossible.
The way a browser loads a page (in a very basic sense) is this:
Step 1: Download the page.
Step 2: Parse the page.
Step 3: Download anything referenced in the content of the page (images, stylesheets, javascripts, etc)
Each "Download" event is atomic.
It seems like you want to only serve images to people who have just downloaded a page that references those images.
As PHP Jedi illustrated, you can pass the files through PHP. You could expand on his code, and check the HTTP_REFERER on the request to ensure that people aren't grabbing "just" the image.
Now, serving every image through a PHP passthru script is not efficient, but it could work.
The most common reason people want to do this is to avoid "hotlinking" -- when people create image tags on other sites that reference the image on your server. When they do that, you expend resources handling requests that get presented on someone else's page.
If that's what you're really trying to avoid, you can use mod_rewrite to check the referer.
A decent-looking discussion of hotlinking/anti-hotlinking can be found here
Use an image relay script!
To serve a imagefile that is outside the public_html folder you would have to do it by a php script. E.g make a image-relay.php that reads the image that is outside the public html...
<?php
header('Content-Type: image/jpeg');
$_file = 'myimage.jpg'; // or $_GET['img']
echo file_get_contents('/myimages/'.$_file);
?>
Now, $_file could be a $_GET parameter, but its absolutley important to validate the input parameter...
now you can make an <img src="image-relay.php?img=flower.jpg"> to access a flower.jpg image that is located in /myimage/flower.jpg ...
Well, a web browser will only be able to access files and folders inside public_html.
If the public_html directory is the root of the server for your users, Apache cannot serve anything that is not inside/below that dorectory.
If you want a file to be served by Apache directly, you'll have to put it in/below public_html.
I think your misunderstanding is in the fact that if you include an image in an <img> tag, your browser will send the exact same request to the webserver to fetch it, that will be sent to the webserver if you try to open the src url of the image in your browser directly.
Therefore, either both things work, or neither.
There are hacks around, involving a (php or other) script to make sure that an IP that has requested the image has also requested the html page within the last few seconds (which will not work if the user is behind a proxy that rotates outgoing IPs) or by checking the referer (which does not work with HTTPs and also not if the user has referer disabled).
If you want to make sure that only some users can see the image (both via <img> tag and directly), you can put the image outside public_html and have a (php or other) script that verifies the user's credentials before serving the image.
If you are using Apache or lighttpd you can use the X-Sendfile header to send files that are not in the web root(provided you haven't changed the configuration of mod_xsendfile).
To learn more about X-sendfile see this site.
This solution is giving you the best possible performance as PHP doesn't send the file but the server does and therefore PHP can be exited while the files are being served.
Hope that helps.