Running PHP 5.3.1 on a Windows server, I have to modify a PHP script to access XML files on a network share. For various reasons the files cannot be placed on the PHP server, and I am not allowed to create a mapped drive on the PHP server so I have to modify the open_basedir parameter in PHP.ini to include the UNC path to the share, e.g.:
open_basedir = "E:\inetpub\;E:\DB_HubDataFiles\;\\stdmfps01\inter-departements$\CVSC-CDT-Estimation-Cedule\"
However when I try to access files on the share I get the "open_basedir restriction in effect" error. I am trying to access the files as follows:
$jobfilename = "//stdmfps01/inter-departements$/CVSC-CDT-Estimation-Cedule/" .$job . ".xml";
if (file_exists($jobfilename)) {
$jobxml = simplexml_load_file($jobfilename);
etc...
I have been assured that it is not a problem of rights, and anyway the error indicates a problem with open_basedir. So my questions are:
does open_basedir handle UNC paths under Windows (I have seen conflicting statements about this)?
if so is there some problem with my syntax?
do I have other options than using open_basedir?
Thanks.
Anyway, here's what ended up working for me, even if I am not totally clear why:
In php.ini changed the open_basedir parameter to use the IP address instead of the server name, and used the parent directory of the directory where my files are located, instead of the directory itself:
\\\nnn.nnn.nnn.nnn\inter-departements$\
instead of:
\\servername\inter-departements$\CVSC-CDT-Estimation-Cedule\
In the PHP script used the IP address as well:
$jobfile = "//nnn.nnn.nnn.nnn/inter-departements$/CVSC-CDT-Estimation-Cedule/" . ($jobid) . ".xml";
This worked for me: Replace the backslashes with slashes
open_basedir = "E:\inetpub\;E:\DB_HubDataFiles\;//stdmfps01/inter-departements$/CVSC-CDT-Estimation-Cedule/"
Related
I'm trying to run this code:
$img = new Imagick('ttt.jpg');
$quality = $img->getImageCompressionQuality();
echo $quality;
I have two websites which have this code and they are running on plesk.
This code works fine on one of the websites but on the other one I get:
open_basedir restriction in effect. File is not within the allowed path
I gave the permission of 777 to the folder and containing files.
Both websites are using PHP 7.3 and therefore the same php.ini file
I'm using Plesk and Windows Server 2016
What am I missing?
Ok I got it, it's in the PHP settings of each website, there is an option called open_basedir which is set to none on the website on which the imagick code works
I'm currently having an issue trying to upload a file (an image) and sending it to a folder, this for a CMS/blog where people can comment and create profiles with pictures, unfortunately, XAMPP won't allow me to send it and it displays this message
`Warning: move_uploaded_file(../images/ ): failed to open stream: Permission denied in C:\xampp\htdocs\CMS\CMS_TEMPLATE\admin\includes\add_post.php on line 19
Warning: move_uploaded_file(): Unable to move 'C:\xampp\tmp\php37A6.tmp' to '../images/ ' in C:\xampp\htdocs\CMS\CMS_TEMPLATE\admin\includes\add_post.php on line 19
I know is a problem with the permission or privileges to read and change files, but even when I changed those permissions on the folder to let it write and modify files, the error messages still appear, I'm working on windows 8.1 with XAMPP and I haven't found a solution to this, it would be really helpful if anyone could help me. Also here's the code if anyone needs to see it.
<?php
if(isset($_POST['create_post'])) {
$post_title = $_POST['title'];
$post_author = $_POST['author'];
$post_category_id = $_POST['post_category_id'];
$post_status = $_POST['post_status'];
$post_image = $_FILES['post_image']['name'];
$post_image_temp = $_FILES['post_image']['tmp_name'];
$post_tags = $_POST['post_tags'];
$post_content = $_POST['post_content'];
$post_date = date('d-m-y');
$post_comment_count = 4;
move_uploaded_file($post_image_temp, "../images/ " );
}
?>
<div class="form-group">
<input type="file" class="form-control" name="post_image">
</div>
Thank you!
The function move_uploaded_file is available in
(PHP 4 >= 4.0.3, PHP 5, PHP 7, PHP 8)
and in PHP's official documentation defined as following
move_uploaded_file(string $from, string $to): bool:
This function checks to ensure that the file designated by from is a
valid upload file (meaning that it was uploaded via PHP's HTTP POST
upload mechanism). If the file is valid, it will be moved to the
filename given by to. This sort of check is especially important if
there is any chance that anything done with uploaded files could
reveal their contents to the user, or even to other users on the same
system.
This function is open_basedir aware. However, restrictions are
placed only on the to path as to allow the moving of uploaded files in
which from may conflict with such restrictions. move_uploaded_file()
ensures the safety of this operation by allowing only those files
uploaded through PHP to be moved.
Return Values
This functon returns true on success.
1. If from is not a valid upload file
Then no action will occur, and move_uploaded_file(...) will return false.
2. If from is a valid upload file, but cannot be moved for some reason
Then no action will occur, and move_uploaded_file(...) will return false. Additionally, a warning will be issued (#MiguelDavid your case).
Referring to open_basedir string
Limit the files that can be accessed by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off.
When a script tries to access the filesystem, for example using include, or fopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to access it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink. If the file doesn't exist then the symlink couldn't be resolved and the filename is compared to (a resolved) open_basedir.
open_basedir can affect more than just filesystem functions; for example if MySQL is configured to use mysqlnd drivers, LOAD DATA INFILE will be affected by open_basedir. Much of the extended functionality of PHP uses open_basedir in this way.
The special value . indicates that the working directory of the script will be used as the base-directory. This is, however, a little dangerous as the working directory of the script can easily be changed with chdir().
In httpd.conf, open_basedir can be turned off (e.g. for some virtual hosts) the same way as any other configuration directive with "php_admin_value open_basedir none".
Under Windows, separate the directories with a semicolon. On all other systems, separate the directories with a colon. As an Apache module, open_basedir paths from parent directories are now automatically inherited.
The restriction specified with open_basedir is a directory name, not a prefix. The default is to allow all files to be opened.
open_basedir can be tightened at run-time. This means that if open_basedir is set to /www/ in php.ini a script can tighten the configuration to /www/tmp/ at run-time with ini_set(). When listing several directories, you can use the PATH_SEPARATOR constant as a separator regardless of the operating system.
Also take a look at upload_tmp_dir string
The temporary directory used for storing files when doing file upload. Must be writable by whatever user PHP is running as. If not specified PHP will use the system's default.
If the directory specified here is not writable, PHP falls back to the system default temporary directory. If open_basedir is on, then the system default directory must be allowed for an upload to succeed.
In your case xampp temporary directory is located:
C:\xampp\tmp and it,s also writable, so nothing to do there!
... To fix your issue / finish ...
Now that function move_uploaded_file is open_dir aware as already mentioned, give the directory for your images the appropriate owner permissions (e.g.: 0755):
../images/
This will get you out of the issue!
According to Dan Delaney on https://www.php.net/manual/en/function.move-uploaded-file.php#86332 you might need to set the "upload_tmp_dir" to an existing directory within you websites directory structure, since you are running on Windows.
Search for "upload_tmp_dir" in your php.ini file and set it to a path pointing to an existing directory:
upload_tmp_dir = "path_to_your_custom_tmp_dir"
I have a VPS using FastCGI (WHM/cPanel). As I understand it, open_basedir must be set using a php.ini file in each user's /home/ directory (E.g.: setting it globally in apache config file will not work).
I want to use open_basedir for improved security, as I recently had a hack that involved traversing through different user's directories
I have added this value to a home directory's php.ini file:
open_basedir = /home/USERNAME/public_html:/usr/lib/php:/usr/local/lib/php:/tmp
What I want to know is, is there a way to test that this is functioning properly? Presumably I would want to try and execute a .php file in another user's directory from within that first user...however I don't know of a good way to test this. Any suggestions would be greatly appreciated.
Try listing the contents of a different user's public_html folder:
<?php
print_r(shell_exec('ls /home/$anotheruser/public_html/'));
?>
If open_basedir is configured properly, you will see a directory listing for that folder.
Im beginner in php language. in my web project i created a filepath.config.ini file which stores all file path in the website directories. for eg.
CLASS1 = bin/myclass1.php
CLASS2 = bin/myclass2.php
and im accessing those path by using:
require $_SERVER['DOCUMENT_ROOT'].'/'.GetfilePath('CLASS1');
in localhost server its working good and giving me path like this
D:/myproject/bin/myclass1.php
when i upload those file on test server im getting this open_basedir restriction error.
Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(/usr/local/apache/htdocs/projectfolder/bin/myclass1.php) is not within the allowed path(s): (/home/:/usr/lib/php:/tmp)
i know we can disable this restriction...but i dont know how to do that :P.
but is it good to use this server DOCUMENT_ROOT ???
or is their any alternate way to use the file path? what you people do to access those file path.
and what happen if i disable the open_basedir restriction? is it secure to do that?
please help me what to do?
Edit your php.ini file (PHP: Configuration Changes) and either disable open_basedir or add /usr/local/apache/htdocs to it.
i will have numerous subdirectories eg. /home/a, /home/a/file, /home/a/txt, /home/b, /home/b/file, /home/b/txt, etc.
the subdirectories are created on demand. i need to add all subdirectories to open_basedir.
pls advise how to make open_basedir recognise all subdirectories of a top path?
From http://php.net/manual/en/ini.core.php#ini.open-basedir
The restriction specified with open_basedir is a directory name since PHP 5.2.16 and 5.3.4. Previous versions used it as a prefix. This means that "open_basedir = /dir/incl" also allowed access to "/dir/include" and "/dir/incls" if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: open_basedir = /dir/incl/
/dir/incl/ = only the directory no subdirectories
dir/incl = all subdirectories
If Apache doesn't find some directory within specified path -- upgrading of some php module may fix the problem. I have such problem when used PHP 5.3.15 and eAccelerator which has been installed when I used PHP 5.3.3.
PHP with eAccelerator was unable to include all subdirectories within specified open_basedir, until I upgraded eAccelerator to appropriate version of PHP.
open_basedir means all subdirectories are available, once the basedir is on your include_path. You will of course need to make sure any paths to included files are correct, e.g. If you want something in /home/b/file you'll need to
include('b/file/myfile.php');