I've hosted a site on a shared hosting server.
I've a given permission 776 to a folder, is it possible for someone to upload a file using move_upload_file to my server from his home pc or own server ?
Edit
If i do not provide the front panel or some UI to the user is it still possible to upload file ?
You use move_uploaded_file (note: upload*ed*) to move/rename files in your PHP scripts on your server. The special thing about move_uploaded_file vs. rename is that it will check whether the file was just uploaded in the same HTTP request. If it wasn't, it will fail with an error.
This is to prevent errors in your script or malicious users from tricking your server into moving any other sort of files around that you didn't intend to move. Using it you can be sure that you're only moving uploaded files out of the temp directory to some other destination.
That's all it does. It does not upload files to some other server. You cannot simply upload files to some other server without that server handling that upload somehow (like through a PHP script, FTP, SCP etc).
Not sure what you're asking exactly.
If you're saying, can you make an HTML form and have someone hit that from their browser to upload. That depends what user apache runs as. You can make an HTML form, catch it with PHP and use move_uploaded_file if whatever user apache runs as can create a file in that directory.
If you're thinking someone can write a php script on another computer, and use the function move_uploaded_file, then no, you definitely can't. That's not what that function does. I'd recommend using SCP for something like that.
No, if you do not provide a script which receives the file and moves it, some other user can't upload a file to your server.
All move_uploaded_file does is move a file from the temporary directory on the hard drive to a different location on the same hard drive. It cannot put files on someone else's computer.
Your question is equivalent to asking whether your next door neighbor can copy child pornography onto your home PC's hard drive over the internet. You should be happy that the answer is no.
Related
When creating an uploading sharing site, is it possible that users may upload their own php scripts and have it run automatically even tho they don't know where the website uploader put that script file? For instance if the website uploads your php file but names it a random name and puts it in a secret directory could this script still contact another server via some PHP OnLoad function? or does the script necessarily need to be executed by someone for it to run its contents?
A PHP script is not auto-runnable. I mean, It has to be executed by someone or something as a software on your computer needs to be executed by someone or something.
You can protect your upload directory with a htaccess to prevent the access/execution by your browser.
Just put the uploads into an unaccessible folder in your website. (You can achieve that with a .htaccess file).
Than you just need a script which handles the downloads. You should now that if some one wants to upload for example an exe file he could also rename it. But it if you want to just protect against attacks where php code is uploaded and accessed this method should work fine.
I have a website which I'll call website.com that is located on server1. website.com has a field to upload a file. When someone uploads a file on website.com, I don't want the file uploaded to server1, I want it to upload to another server, server2. What is the best way to do this? Can I do this using php, a shell script?
After the file is uploaded to server2, I have a shell script to execute on the file which I will also eventually have to figure out how to run from server1.
I hope this makes sense, thanks in advance.
another possible way to do this is by uploading this file to your website.com site and use CURL to send the image to another server. once this completes you can remove the image again.
see CURL PHP send image for more information.
-- UPDATE --
For SSH connection you need to install additional libraries in order to allow php to make SSH connection. an excellent tutorial can be found here.
-- UPDATE 2 --
The question intrigued me, so i expanded my research. there seems to be another PHP Library phpseclib around on Sourceforge. In the documentation on page 5 there is some information on how it works.
The only good way to make this to work is to read the image to binary, and send it over the the other server, as text and write that into an file, hence creating an image from the source of the original.
Also place the image in a public folder that is accepts calls from your website1 domain, this way you also prevent hot linking your images and saves considerable data.
I also came across this for help with phpseclib.
in the end i wouldnt choose for a solution like this. I would swap your website from server1 to server2, just to keep everything in one place.
Cant you put the script to handle the upload on Server 2?
You can have your HTML pages with the form served for server 1, but call the PHP for the upload from server 2.
Update
For example...
Server 1 has a file index.php which has a form:
<form action='http://server2.com/some_directory/uploader.php' method='POST'>
.... Some form code
</form>
The form on index.php points to a PHP script on server 2, via a URL. That PHP script can now handle the input.
Of course this will only work if server2 is connected accessible from the internet, if not you will have to use some sort of shell script on server 1 to move the files on the internal network when they are uploaded to server 1.
I have a site that people upload large (2mb-3mb) files to, In large quantities. So I need to store them on an external drive (my drobo). How can I upload files to a folder on the server and then how can I write a php script that retrieves them and lets users download them.
Thanks,
Joey Sacchini
To do this, simply move your files into an accessible space.
http://php.net/manual/en/function.move-uploaded-file.php
Be sure to consider the implications of this though. Once you move an uploaded file to an open directory, anyone can access it. This is very dangerous. Imagine someone uploading a PHP script.
It is best to create a script that fetches files from a location not in the web root. At a basic level, you can store the file's properties, such as original name (you should rename them to something random on disk) and mimetype, to database. Then send the file to the client with readfile().
For downloading backups to your own personal hard drive, just use SFTP.
This is not a quick answer, you need to understand how to upload, retrieve, and save the file to the server; set write permissions for PHP and a few other things. I suggest you try these links to get you started fast:
http://www.w3schools.com/php/php_file_upload.asp
http://www.tizag.com/phpT/fileupload.php
Also visit the PHP reference manual for some great examples.
well u can keep the uploaded files outside of server directory. so if ur server root is /www/htdocs u can keep the files in say /uploaded. so use something like
move_uploaded_file($_FILES['file'],'/uploaded')
this way ur files will be inaccesible to the outside world
I just transferred a website to a new server and have a strange problem. On all of the pages that have a PHP include command, the file stopped uploading, and cut off everything from that line of PHP down. Not just when executing, but when uploading the file via FTP. I can remove the include command, and it uploads the full 4KB page, but with it, the page only uploads the 1KB before the command. What gives?
allow_url_include is turned on, the file that's included is just basic HTML, and it worked fine on the old server... I've never been unable to upload a file because of a problem in the code before. Any ideas?
That might be a security measure from the hosting company.
It is a common attack vector to brute-force FTP passwords then add/modify PHP scripts to include() malicious code from another compromised server.
I would contact the hosting company and ask them. They may have to lower their security for you, add your IP address to a whitelist, or provide an alternative method for uploading files (SSH/SFTP for example).
If you can't contact the system administrator and have SSH access then try connecting by SFTP and uploading again.
I have a PHP script that processes file uploads. The script tries to organise the files that are uploaded and may create new folders to move the files into if needed. These files will be below the www root directory (ie, a web browser will be able to access them).
My question is, what permissions should I set for the folders that get created and for the files that are moved into them (using mkdir() and move_uploaded_file())?
Your webserver needs read and write permission in those folders, execute permission should be revoked (assuming UNIX-like systems). If not, a user could upload a script and have it executed by sending a HTTP request for it.
But IMO the whole concept is a potential security hole. Better store the files in a folder outside the webserver root, so that no direct acceess is possible. In your web application, you can have a PHP download page that scans the upload directory and displays a list of download links. These download links lead to another script, that reads the fiels from you storage dir und sends them to the user.
Yes, this is more work. But the scenario is very common, so you should be able to find some source code with example implementations easily. And it it much less work that having your server hacked...
to answer it specifically 766 (no execute permissions) would be the loosest you would want to use. On the other end 700 would allow no one but the web user to mess with the file.
But really it all depends you were doing with the files that would determine the best result.