Hello everyone i have a question with upload a file with php ocde.
please tell me with php code how can i give file permission(777) at the time of uploading .
Thanx in advance
You should follow the best practices on the PHP website for handling file uploads and once you move the uploaded file to the location you want it, you can do a chmod on the file to whatever permissions you want.
I would be careful using 777 permissions on any file, it can be dangerous, especially if you are running your code on a shared server. 755 is a much safer alternative for file permissions and is generally recommended.
Related
I have written simple PHP code to upload image file. Images are uploading successfully.
Here is my code,
mkdir("uploaded images", 0777, true);
move_uploaded_file($sourcePath,$targetPathNew);
but when i download that image, it shows me
Response: 550 Access is denied.
Error: Critical file transfer error
Thanks
This is due to permissions of the file. The uploaded file is owned by a web server user (such as www-data) and your FTP server runs under different user. While you change permissions on the folder to 0777 (allow everything to everyone), the file doesn't inherit the same permissions.
To fix this, you probably can add chmod($targetPathNew, 0777) in your code after the move_uploaded_file(...).
There is a chance though that this won't work due to some stricter server configuration. I'm not going to dive into this as judging by your question you're not very familiar with the Linux permissions (sorry if I'm wrong). You can find some essential information about permissions here, for example - https://www.tutorialspoint.com/unix/unix-file-permission.htm
Suppose that our web-hosting is linux and php is installed:
1- What could be the worst that happens when a php code can be uploaded instead of an image.
2- Can the intruder somehow retrieve my database password ? suppose that the directory on which images get stored has 777 file permissions.
3- What if when the image directory has 644 permission?
The answer to my question can be combined with the ones given to these two: Security: How to validate image file uploads? and Security issues in accepting image uploads
What could be the worst that happens when a php code can be uploaded instead of an image.
Worst case: Intruder can execute arbitrary PHP code, maybe even arbitrary code on the server. If the attacker is clever enough while the sysadmins aren't, he might even own the whole server/subnet/network/...
Can the intruder somehow retrieve my database password ? suppose that the directory on which images get stored has 777 file permissions.
If the attacker can execute PHP code (which of course depends on your security measures), he can definitely read files from the current user, so the answer is most probably yes.
What if when the image directory has 644 permission?
Unless you use PHP in CGI mode, the execute bit shouldn't be necessary for the webserver to execute a script, so that alone doesn't help.
Of course those are not the questions you should ask. The question you should ask is how to prevent an attacker from uploading an executable PHP file in the first place. My answer to that is that you should check the file extension against a white list and drop everything else, for example:
$pattern = "/\.(jpe?g|gif|png)$/iD";
if (!preg_match($pattern, $filename))
die("Please don't.");
You should make sure you don't allow parsing of php files in your image directory, since I'm assuming it's going to be open to the public.
You could do this in the /images/.htaccess file with
RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
That way if they try to go to domain.com/images/hackdatabase.php it'll just return their code and not the file.
But you should check to make sure its' an image in the first place.
I am trying to create a really simple webpage in php, letting people upload images to a folder on my server. I made this really simple with some done code, and it worked awesomely on my computer with xampp, but when I upload the page to my server, it gets an error message every time I upload anything. The error is when the script checks if the image was uploaded, where it says
$copied = copy($_FILES['image']['tmp_name'], $newname);
if(!$copied)
echo "error";
This leads me to believe that there is something wrong with the permissions. But how can I set this? And what should I set it to? I just need others to be able to upload images to a spesific folder.
The web server needs write permissions to be able to write into the directory you're storing the images.
Assuming you're on a Linux server, run the following command on the server (ssh) after changing /path/to/uploaded/images to the image upload directory, and see if it solves the problem:
chmod 777 /path/to/uploaded/images
If that fixes the problem, you can probably relax the permissions to something like:
chmod 664 /path/to/uploaded/images
These are basic commands for directory permissions, which you can learn more about in this tutorial about file permissions on Linux.
Alternatively, you can use move_uploaded_file() to copy the uploaded file to a known location.
I am trying to upload a file via HTTP and run it through a virus scan and immediately move to a ftp location. Here are the basic steps,
Upload via HTTP
Do the virus scan on the php tmp directory (upload_tmp_dir) using php command line functions.
Move the file directly to ftp from the tmp directory after the virus check.
You might notice I am not doing a move_upload_file(), is this the best way to do it ? Or should I do steps 2 & 3 after I do a move_upload_file().
If I should not do it before move_upload_file() then what would be the reason ?
Thanks
I think that doing it before move_upload_file is appropriate. If you move it first, then you've put a file into your FTP directory which may have a virus; for the length of time that you scan, an unsafe file is available.
Also, if you do it before move_upload_file and find a virus, you can just leave it there and PHP will tidy up for you; no need to call unlink yourself :)
i'm working on a website wherein the users can upload images (uses php 4.3.11). the files are uploaded with no problem as i can see them in the upload directory and i don't get any error message, but when i try to access the uploaded files via ftp, i get an error: no such file or directory. sometimes, i am able to access the file sometimes i get this error. what could be the problem here?
[update]
thanks for the help guys. i'm not familiar with the ftp daemon stuff. but i do access my files via ftp using FireFTP. the files are there but when try to download them or change the file properties, i get the said error. i also tried uploading a file in the folder through ftp and i was able to download it with no problem.
here is some of the code i'm working on, its kind of roundabout but i'll see on how to improve it.
my working directory is something like this www.domain.com/register/
and the upload directory is here www.domain.com/register/uploads/
users are required to register and upon sign-up, a folder is created for them in the uploads directory. i couldn't find a way to create a folder without having to be in the uploads folder itself so i redirect to a create-user-folder.php file in the uploads dir.
the file just contained this code:
$user_foldername = rawurldecode($_GET['name']);
mkdir($user_foldername);
header("Location: ../form.php"); // redirect back to the page
i checked and the created folder's permission is set to 775.
and here's part of the code i use in uploading ( /register/function/function.php ):
$path = "../uploads/$user_foldername/";
for($j = 0; $j < $num_of_uploads; $j++){
if(is_uploaded_file($_FILES[$file]['tmp_name'][$j])){
$filename = $_FILES[$file]['name'][$j];
copy($_FILES[$file]['tmp_name'][$j],$path.$filename);
}
}
i checked using FireFTP and the files are in the /uploads/user_foldername/ directory and its permission is set to 664. the strange thing is that when i try to download the files, at times there would be no problem at all but there are times when the error will appear.
[another update]
i added chmod() after the copy() function,
$filename = $_FILES[$file]['name'][$j];
copy($_FILES[$file]['tmp_name'][$j],$path.$filename);
chmod($path.$filename, 0755);
but i still get the error.
another thing is that when i access /register/uploads/user_foldername/ through the url, i can see all of the uploaded files and view them, but how is it that i can't access them via ftp?
thanks again!
This is either a permission issue, or a configuration error. Here are things you should try:
What are the permission of the uploaded files? Does the FTP user has access to these files? Have you tried logging in as the user the FTP daemon would use and see if you could read the file that way?
Do you really see the correct directory? Have you verified by putting a file in that directory yourself and downloading it? Have you used the ftp command ls to verify the presence of the folder/folders/files?
You might need to chmod the folder the files are in, or in some cases the files themselves.
try chmoding them to 775
You can chmod files and folders through PHP it's self, with the chmod function. Or, you could use a FTP program such as filezilla.
Also check to make sure the intermediate directories are also permissioned as 755, as all the directories in the path need to be executable to be traversed.
i just figured out the problem. it was all because of the file name having accented characters in it, which explains why i do not always get the error message :|
<sigh> i should have seen this earlier, but anyway i hope this helps in case someone ran into the same problem.
thanks again! i really appreciate it :)