i want to be able to make a folder where users upload content too, and then an admin can use a password possibly to view the folder and make choices on to approve or reject the content. best way to do this?
A secure and easy way is to do it with .htaccess and .htpassword to allow only specific people to access the directory.
Use chown to change the file/folder owner. In the php docs they say it works for files, but folders are just files and it should work. If it doesnt use shell_exec and use the OS chown (on *nix , donno about windows).
Alternatively you can use HTTP authentication, if the folder is on a public path. I would not recommend .htaccess unless you are out of options. Htaccess were created for other reasons. Use the correct tools for each problem (see Golden Hammmer).
Related
Is it possible to arrange file permissions/group ownership/etc in such a way that a file can be read by the function readFile() for a forced download, but it cannot be downloaded by navigating to the literal url of the file?
Maybe you could add the user that is running apache / php to the group that owns the file. And set config to read and write for owner and owner group, and no permission at all for others. (-rwxrw---- 0r 0760)
Never tested it, but it should work.
The Apache user will need read permissions. To prevent it from being navigated to, the best (and easiest) solution is to store the file outside of the web folder.
I think this question should be something easy but after searching all over the web I couldnt find an answer, so I decided to ask here.
I have a file uploader in my website that works with php. The folder where files are being uploaded has 777 chmod. I also have a php script to list the files in that folder. What I need is to allow php to upload and browse files on that folder, but dont allow people to do it. The only solution I imagined is to chown that folder to another user different than default, so I could later chmod in filezilla and allow only owner to do it, so people will see the files trough the output of the php script, but not if they navigate to that folder.
Im using Debian, apache2. Id like to know what could I do.
To make it shor, my aim: allow php to upload, read, write and execute files in that folder, but not clients unless they use my php script.
Thanks in advance
Put all the files you're talking about in their own directory. Add a .htaccess file to that directory. The contents of the .htaccess should be deny from all.
This will prevent any user from manually accessing the files as access will be blocked off. Your PHP script can still browse the contents of the file and serve it up as an attachment with the correct content type.
For more info on how to serve a file for download in PHP, read this: https://serverfault.com/questions/316814/php-serve-a-file-for-download-without-providing-the-direct-link
All services including web servers run in a security context which is an account in the OS, for example apache starts using apache user in apache group. It is enough to change mode and change owner to this user and group. Never chmod a directory to 777 until there is a good explanation for that. Using this trick, web service process only can read, write and execute in that directory.
As well, if you want the browser clients not to see(read) the contents of that directory, you should deny listing on that directory. I think it is disabled for default.
GoDaddy does not a give FTP root access to my account, meaning I can only access the public_html folder and not the includes folder.
Is there any way I can include the config files in that public folder but somehow make it so only the server can access them in a secure way? How does Wordpress do it?
You could use a .htaccess file to restrict Website Access.
Take a look of this article.
just make sure they have a .php extension.
(and actually contain PHP code of course)
Wordpress keeps the config file in the main folder. Just make sure you have a .php extension and you dont echo anything from that. (I know you wont.)
People really cant get the details inside your php file unless you echo something, or the chmod of the file is set wrong so that people may be able to actually download the file.
As xdazz said, you can also restrict access to your config files, but I think its just for MORE protection, and you are still safe without that.
I want to display image through PHP.
When I put image in /var/www/ directory then it is working fine, I am giving full path.
But when I put image in some other directory (say home) then it is not displaying.
Usually, servers have some kind of sandbox which prevent your code to access files outside of it for security reasons.
I encourage you to put all data you want your server to be able to access inside its folders (/var/www directory or subdirectories of it)
First off, you should really check your error logs as they will probably point you in the right direction.
Without more information, I'd have an educated guess that the Apache user does not have rights to the file and/or the containing directories.
You can change permissions using the chown and chmod commands in a shell.
EDIT: But don't allow access to any dir with sensitive data (e.g. your home directory) to the webserver!
I have a folder named upload which is filled with folders of users uploaded files.
Is there any way I can stop people from directly downloading my users files by simply typing the folder names and file name into the address bar?
Example: user Jim's folder is stored at HOST/uploads/jim
user Jim's important file "myimportantfile.txt" is stored at HOST/uploads/jim/myimportantfile.txt
Now, if just anyone types into the address bar: www.HOST.com/uploads/jim/myimportantfile.txt , they will be able to view Jim's important file.
How can I stop this from happening?
Can I write certain attributes when making the directories?
You don't want to have those files in a web-accessible folder. Move them out of the webroot.
Once you do this, you can have a file like download.php to which you pass a file ID and it can then validate it is in fact Jim asking for his files and only then fetch the file and output it to the browser as an attachment. This is the safest/best way for security.
I belive file permissions of a directory +w-r+x will alow directory writes but not reads. In geeky unix terms this is %chmod 733 dirname. The directory ownership would have to be set properly using chown and chgroup. This applies to a unix environment.
You could use an .htaccess file to require a username and password to be entered making each folder a protected folder.
But I think the best way to do it would be to move the uploads folder outside of the webroot so that it's not directly accessible, and then create a script (PHP, ASP, etc) that serves up the requested file after authenticating the user.
The simplest solution is to just add an index.htm file to the folder.
Any visitors will then see this page rather than the index of files.
The page can be blank, or even better, redirect to the domain home page with a redirect.
Sure, you can use basic file/directory permissions in Linux. You can also set the entire tree to be denied by apache.
What platform / webserver software are you running?
Okay, linux:
If the owner of the directory is 'joe', and the group is 'apache', then:
chmod 750 joe
This would give the directory 'joe' permissions which allow the owner (joe) full access, the group (apache) write access (and the ability to enter the directory), and nothing else.
Is this an FTP drop-box?
What are the ownerships/groups like now?