I was wondering is it possible to access a folder not inside the web server? Say for eg. I have a Xammp Installation and inside the htdocs folder I have a web app called MySite which have an Upload Folder
What I wanted to do is redirect all my uploads instead of going to and being saved into MySite\Uploads it will be saved into D:\Data\Uploads.
Is this possible, I presume this should have already been asked many times and answered many times, but I wasnt able to find the right answer maybe because I haven't pinned the right question.
Please help.
it is possible if the webserver has write rights in that folder.
for example if you do a:
file_put_contents("absolute_path_where_you_want_to_save", $file_contents);
It will work if the user executing the php script has the correct rights (write) to do so.
This is specially useful when READING files that are outside the webserver, for example to retrieve mysql user and password from a file that can't be read even if someone gains access to the folders of your webserver.
Related
i am quite new to the PHP business and thus please forgive me, if the questions sounds stupid to you. (always ask for forgiveness, never for permission ;)
Nevertheless, my theoretical question: I have a php based website, which is located in web root. This Php allows to create another php file, and its saved also in the web root. Later, i can "request" this newly created php and thus the php will be run. That means for my understanding, as a php script can include/access files outside the web root, I have basically full access to the server via this php-programm. Is it right ? I would be shocked if it is true .... so if I am wrong, what is preventing this access ?
This is going to be based on file permissions. If you're on a hosted server, you have permission to change everything on your area of the server (and you'll have a special identity that gives your permission). You should also be able to send requests just about anywhere (which is including/accessing files outside your area). Chances are your special user does not have permission to write outside your dedicated space on the server. This is pretty standard. I'd look into File Permissions, and how they work on webservers if you're interested in learning more.
Currently, I am putting all files in my public directory which means that anyone can download the file.
However, I don't want anyone else to see that file other than the user who created it. As of right now, I have no control over that. Maybe if I store it in another directory, I will be using middleware to protect it.
But I'm stuck on the part where I can upload the user-uploaded files.
Where is the best directory to put them? I don't have an external server I just have a VPS.
Laravel has a storage folder designed especially for this case. It's not available from outside your server and you will have to serve the files from it through Laravel.
I have a website which has a lot of confidential data and code which I have custom made. I have hired a developer to do the designing and some simple PHP integration for me.
To prevent him from seeing all files, I made a test environment in one of subfolders like mywebsite.com/testfolder
Now I want him to access the db_test.php, function.php and parameter.php files which are located in the root folder such that he can just include them while executing the scripts (example mywebsite.com/testfolder/mainfile.php) and not download them (with php script or by any other means). The idea is to prevent him to see the code and just use the stuff as it is.
This would also mean that his access to the root folder should be also completely restricted except for the above mentioned files.
I have created a test database and a separate user for him so the database bit is secured.
I have also created a ftp user which can just access the testfolder through ftp
What I am concerned about is that he might run a php script that will give all secrets in the root folder.
I have myself been able to list and download files by running a simple php script from testfolder.
Please suggest how to make this work as I am planning to have a virtual team who will work on the website which will have restricted access to various different resources.
RULE NUMBER ONE: never develop on a live project.
you may create a development environment (=web site) somewhere else, put some meaningless files and/or databases there and allow your developers full access. then, from time to time, you update your working copy from the repository (you have setup hg/git repo, haven't you), review and test the changes and only then upload files to your main web site.
I am writing a PHP code that creates another PHP file with fopen and writes to it. It runs on most shared environments without any problem but in some old servers and customized servers the code fails to create file and write to it even though the folder permission is 755 as the PHP runs under the account 'nobody' and the folder owner is another user.
In shared servers the folder owner and the PHP both runs under same user and so there are no permission issues.
Can anyone help me out here with a solution please.....
Thank you All...
EDIT: This problem might have bugged many others including packages like Joomla, Drupa, etc. How do they get around this problem? Can anyone explain please. Thank you.
If PHP runs as user 'nobody', but the folder you're trying to write in belongs to a different user, the only way to have write rights to that folder would be if 'nobody' is in the same group, of if the folder has permissions 777 (write rights for everyone).
There is no direct solution to this problem. So the only solution was to show the user a relevant message and ask them to copy the files manually...
I have a PHP script that processes file uploads. The script tries to organise the files that are uploaded and may create new folders to move the files into if needed. These files will be below the www root directory (ie, a web browser will be able to access them).
My question is, what permissions should I set for the folders that get created and for the files that are moved into them (using mkdir() and move_uploaded_file())?
Your webserver needs read and write permission in those folders, execute permission should be revoked (assuming UNIX-like systems). If not, a user could upload a script and have it executed by sending a HTTP request for it.
But IMO the whole concept is a potential security hole. Better store the files in a folder outside the webserver root, so that no direct acceess is possible. In your web application, you can have a PHP download page that scans the upload directory and displays a list of download links. These download links lead to another script, that reads the fiels from you storage dir und sends them to the user.
Yes, this is more work. But the scenario is very common, so you should be able to find some source code with example implementations easily. And it it much less work that having your server hacked...
to answer it specifically 766 (no execute permissions) would be the loosest you would want to use. On the other end 700 would allow no one but the web user to mess with the file.
But really it all depends you were doing with the files that would determine the best result.