So I am trying to use XAMPP server on ubuntu (Xampp 1.7.7 and yes, I know it is old) to upload files to a specific directory using PHP.
I know that it can be done, but every bit of code I can find wants to use a temp name. I think it checks to see if there is a duplicate file but can't I set it to just go strait to the directory? I know it wont be a problem so is this possible? Let me know if I need to be more specific.
Also, please don't ask "Why don't you want to use the temp directory?" because I don't want/need to is your answer. So if you have an answer, please let me know.
Thanks! :)
PHP couldn't care less about duplicate files. If two people upload "file.txt", PHP won't care, because it'll be using that nice random temp name instead. File collision handling is NOT php's job. that's up to your code.
And while it would be nice if you didn't HAVE to use a temp file for uploads, removing that restriction would mean a complete re-write of PHP's upload infrastructure. The script which a file upload is performed on is not invoked until AFTER the upload has completed (regardless of success). There is no mechanism in PHP to allow a "live" script to accept the upload as the bytes are streaming in.
If you need to handle the raw straw as the upload proceeds, you'll have to use some other language, e.g. perl.
Related
Wherever I look on the difference between PHP functions' rename and move_uploaded_file it always says that the difference is that move_uploaded_file have some security features.
My questions are:
what are those security features, what happen if I don't use it?
In case that I can't use it (I did an upload but not through POST) so I have to use the rename function, what security measures do I need to take?
Thanks.
Edit
#Pekka asked from me to elaborate of how I plan to upload the file.
I'm going to upload files through Ajax, and I have some queue feature for uploading multiples files. Therefore I'm using the php://input stream.
If I understand Pekka answer correctly, I have nothing to worry about since I'm getting the file as a stream and I'm not copying any temp file.
Please correct me if I'm wrong.
The background of this was an ancient, pretty bad vulnerability (in the early 2000s) in which you, instead of uploading an actual file, you could overwrite the tmp_file path with a local file path, leading to that local file being treated as the upload instead of the real uploaded file. (There was no $_FILES array back then.)
So for example, when uploading an avatar, the script would copy() the system file you specified (say, a configuration file ../../super_secret/config.php or a .htpasswd) to a public location and try to display it as the avatar image in a <img> tag.
Strangely, I'm unable to find any specific info on this vulnerability (I've searched a number of times already over the past couple of years), but I know for a fact it existed because I tested it myself. Any links are welcome.
As to what security measures to take, as said in the comment, I think you need to explain in more detail what kind of alternative file upload you are planning to use.
Im planning to add file manager (very basic once) because I never used FTP functions, and it looks easier (FTP connection loses when scripts is done). I would simply use POST request (or what should I?) instead of FTP functions. Is it good idea? Anyone knows restrictions?
As far as I can see only FTP functions are to post and receive files.
What you need to do is add dynamic form where you can select multiple files and upload them to specific directory of your chose.
You will need to get all available directories and files in them, probably with some kind of recursive function. More optimal way is to get directories/files of current folder and when you click on folder it will get files/folder for it.
Can it be done - sure. Is it a good idea - no. People will have access for uploading malicious files, we are not talking about images here, php scripts, shell scripts, executable viruses and so on...
If you are doing this only for yourself, for file posting and receiving I suggest you to use FTP clients for that.
I wouldn't recommend it, but it's probably best to use a 3rd party tool, rather than to write your own.
PHP File Manager
PHPfileNavigator2
FileManager
...
Keep in mind that both PHP and your webserver can put certain restrictions on the size of files that you can transfer, it is of course possible to change these in the configuration files.
im trying to implement on my site a system who let the user download a file that have to be change before the download.
I have a master file (a .exe program), that inside have a variable who has to be change for every different user.
The most simple solution is to change a variable inside a xml file every time the user want his personalized exe and then make the exe file to read the external file. BUT i dont want the user to download more than one file.
Is this possible? using php can i change a parametter inside a compiled program? Thanks for any help and suggestions!
If you really really know what you're doing and you know exactly the bits that need to be flipped inside the file, then yes, it's possible to modify the .exe file with PHP. Otherwise you have to make changes to the source or other files the .exe is built with and compile the program on the server before sending it to the user.
In theory it's certainly possible (PHP is turing complete), but as stated in other answers it will be hardly worth the hassle (considering the fact that you have to ask whether it is possible shows you'd have to investigate at last for days into the standard exe-format).
I'd recommend one of the following:
1) Zip the program with the configuration file; either use a separate launcher (e.g. Java [a JAR is a ZIP file]) or add a configuration file that is read by the program itself. There is a number of PHP libraries for generating ZIP files.
2) compile the program with the changed source on the server itself; however this can also become quite complicated depending on your server configuration and the programming environment you use. If you have never administered a virtual server I would not even slightly recommend that as an option.
3) If you can assume that the user got somewhat stable Internet access you might also consider to let hir download a standard executable, where additional configuration will be downloaded later on by the program itself (e.g. by transmitting the username to the server). However this creates dependencies you might want to avoid (your user probably can't use it on machines without Internet access and you should assert that your server is up most of the time).
While it's probably possible, I doubt it's worth the hassle. Unless you're trying to fight piracy or something. Why don't you just serve the user a custom .zip file with the .exe and a config .xml?
[edit after OP commented]
I presume what you're trying to edit is the facebook ID/username? Well, try to compile the base file with some unique string like "THISNEEDSTOBEREPLACED", then use some binary safe function to replace it. Though remember things can and will get tricky if the string lengths don't match.
For various dull reasons, I'd like to assay a script that looks at the files in a directory, copies the filename of the latest and inserts it into a mysql table. It shld also check if the insert has been done already.
I am a web tinkerer (i work in construction) so my question may seem a bit ingenue but what functions do I need to get the filenames of files in a particular directory ? I can see how to check if the insert's been done already plus the db insert bits. I just wanna learn how to get hold of the latest filename.
Afterthought: is there a way to run the script automatically or on completion of a successful ftp upload to the directory in question ?
Tom
I would recommend the SPL DirectoryIterator instead of glob().
To answer your second question:
Afterthought: is there a way to run the script automatically or on
completion of a successful ftp upload
to the directory in question ?
This depends on the type of server you're running on, since you're programming in PHP, I'll assume it's a Unix or Linux based machine, in which case you'll want to read up on CRONTAB, which is the normal way of running scripts at a specific time.
It would be difficult on the server end to know when a client has finished uploading via FTP, as you likely really don't know how many files they might upload.
I'm experiencing my first form in php where images can be uploaded.
I've seen some article on the web which explains it can be dangerous, so there is some way to block scripts on a specified folder? Something with .htaccess or php .ini instruction?
The VERY best way is to make sure that your upload directory is outside of your webroot. As long as the webserver has read/write access there you will be fine - no worries about executable uploads. This was discussed here on stackoverflow.
Your best bet is to verify the file's extension upon upload. If it's not jpg/png/gif/etc., dismiss it. As long as your webserver is not misconfigured to interpret any file as a PHP file, then with this approach you're out of harm's way, with minimal headache and really simple implementation.
Check the file being uploaded has a benign extension (.gif, .mp3, etc) - and trash anything else. For extra-sekrit protection, capture the file's original name in a database (for future reference), then encrypt the filename (and store that as well). That way anything that's uploaded can't be found by filename by the uploader.
It's dangerous only if you let the users upload whatever they want. Allow only what you decide is safe and you won't need to block anything.
i think it can be dangers if you don't check what file type was uploaded e.g. "hacker" uploads a php file that deletes all of your httpdocs stuff, or if people can upload to many or to big files.