From 19 Deadly Sins of Software Security;
The following code is the poster child for the file-access race condition defect. In between the call to access(2) and open(2), the operating system could switch away from your running process and give another process a time slice. In the interveneing time, the file /tmp/splat could be deleted, and then the application crashes.
…
const char *filename="/tmp/splat";
if (access(filename, R_OK)==0) {
int fd=open(filename, O_RDONLY);
handle_file_contents(fd);
close(fd);
}
and
Again, this code is accessing the file using a filename. The code determines if the file is readable by the effective user of the Perl script and if it is, reads it. This sinful code is similar to the C/C++ code: between the file check and the read, the file may have disappeared.
#!/user/bin/perl
my $file="$ENV{HOME}/.config";
read_config($file) if -r $file;
and finally,
Use a file handle, not the filename, to verify the file exists and then open it.
$!/ur/bin/perl
my $file="$ENV{HOME}/.config";
if (open(FILE, "< $file")) {
read_config(*FILE) if is_accessible(*FILE);
}
The point is that if you use a filename for each call to a file-related function, the file could be changed, deleted, etc. between calls, particularly on a remote server. It’s better to use a file handle or file descriptor. Unfortunately, the PHP manual seems to indicate that most file functions only work on a string representing the filename and don’t have overloads that can take a handle instead, filesize in particular:
$fn = "somefile.txt"
$fh = fopen($fn);
if ($fh !== FALSE) {
$data = fread($fh, filesize($fn));
}
That’s not good; between the call to fopen and filesize, the file could have been altered. Worse, the file could have been altered between the call to filesize and the meat of fread!
Does anyone know of a way to use PHP file functions, especially filesize with handles instead of filenames?
A lot of the data you're looking for can be accessed with fstat().
The following can be derived from an fstat() call. See stat() for more about the information fstat() returns. From the PHP manual:
Array
(
[dev] => 771
[ino] => 488704
[mode] => 33188
[nlink] => 1
[uid] => 0
[gid] => 0
[rdev] => 0
[size] => 1114
[atime] => 1061067181
[mtime] => 1056136526
[ctime] => 1056136526
[blksize] => 4096
[blocks] => 8
)
Related
I've been wrangling my brain for the last day trying to fix this.
Basically, the temp file set in $_FILES['logo']['tmp_name'] does not exist.
The file is apparently getting uploaded, as shown in the below print_r() of $_FILES:
Array
(
[logo] => Array
(
[name] => Channelcat.jpg
[type] => image/jpeg
[tmp_name] => /tmp/php26YfhY
[error] => 0
[size] => 152142
)
)
The file permissions on my /tmp directory are apparently 777. I suspect that this problem may have to do with the shared hosting it's using though.
And below is basically what I'm trying to do with the file.
$logo = $_FILES['logo'];
if($logo['size'] > (1024000)) {
die('File size is too large.');
}
$path = __DIR__ . '/uploads/'. $logo['name'];
move_uploaded_file($logo['tmp_name'], $path);
I've tried using is_uploaded_file($logo['tmp_name']), which returns false and realpath($logo['tmp_name']) which returns an empty string.
move_uploaded_file doesn't error, but doesn't move the file to the specified directory either.
When you have set some open_basedir variable in the php.ini file, the file upload works, the $_FILE array gets populated and even shows the tmp_name subkey, still files are not written to disk, which results in a puzzling situation, as no further errors are reported being the error subkey set to 0.
Solution is to set the temp folder to some subfolder inside the open_basedir php.ini variable.
I have the following code in a "function" file [2] in my project. It can be called for multiple types of reports in my project. The $name comes from the reports pages using the $thePDFFileName [1]:
[1] $pdf->Output($thePDFFileName);
...
[2] $f=fopen($name,'wb');
if(!$f)
{
$this->Error('Unable to create output file: '.$name);
}
fwrite($f,$this->buffer,strlen($this->buffer));
fclose($f);
...
[1] FunctionSendFile::sendPDFFile($thePDFFileName );
Example: $thePDFFileName = tmp/[Filename]_19-11-2013.pdf
What's strange is before it was working for all my reports, now all of a sudden it always returns null (empty) for $f=fopen($name,'wb'); and I have no idea why. I tried removing the if condition to force the file being created, and it makes a pdf file of 0 bytes (I'm assuming because fopen() fails).
Has anyone seen this happen before and know how to fix it? I'm not sure what i've done to make all the pdf files stop working...
NOTE: I am trying to create these files and save them in a certain location. I'm not trying to find and open files that already exist!
I want to upload my file into public html folder using php code at the time of uploading i want to insert the file path,size,mime type like this. Please any one give me proper solution because totally I wasted nearly one day for this
Thanks in Advance
If your upload field is named file, you can get all the informations from the $_FILES array:
Array
(
[file] => Array
(
[name] => MyFile.txt
[type] => text/plain
[tmp_name] => /tmp/php/php1h4j1o
[error] => UPLOAD_ERR_OK
[size] => 123
)
)
For the path, you set it yourself with move_uploaded_file:
$path = '/files/MyFile.txt';
move_uploaded_file($_FILE['file']['tmp_name'], $path);
Destination dir must be writable and you should check the return value of move_uploaded_files.
I'm trying to upload a file but i doesnt work:
Usefull Info: Running IIS Express (with PHP 5.3) - Windows 7 Professional 32 Bits
Code:
move_uploaded_file($_FILES["imagem"]["name"], "/images/" . $_FILES["imagem"]["name"]) or die ("Error:".print_r($_FILES));
It Prints: Array ( [imagem] => Array ( [name] => Chrysanthemum.jpg [type] => image/jpeg [tmp_name] => C:\Windows\Temp\php3D85.tmp [error] => 0 [size] => 879394 ) )
I'm sure the path is correct and i also did chmod() to set permissions but still, doesn't upload.
Any sugestions?
Your destination path should start with a proper path to the images directory (dirname(__FILE__) can help). As it stands, "/images/" . $_FILES["imagem"]["name"] means it'll try to write to C:/images/ (assuming the script is in the C: drive) which probably doesn't exist.
Since its is inside of an array you need to execute the move uploaded file function inside of foreach loop.
foreach($_FILES['imagem'] as $f){
move_uploaded_file($f['tmp_name'], "/images/" . $f["name"]);
}
You might wanna try using my class:
http://code.google.com/p/daves-upload-class/source/browse/upload_class.php
I'm trying to execute a straightforward PHP call to load the contents of a web page:
$result = file_get_contents("http://www.google.com");
The result coming back is a strange file not found error:
Warning: file_get_contents(http://www.google.com): failed to open stream: No such file or directory in /var/www/html/test.php on line 5
I have "allow_url_fopen = On" on my php.ini and no .htaccess files that might alter the setting in the directory. Any ideas? I've never had trouble with this function before on different servers.
Apparently the HTTP stream wrapper is not present, which causes this error.
print_r(stream_get_wrappers());
Array
(
[0] => php
[1] => file
[2] => data
[3] => compress.zlib
)
I'm not sure how it was removed or how to restore it, but that would explain it! I've tried stream_wrapper_restore('http') in case it was unregistered somehow, but that has no effect.
I think it is some kind of proxy effect.
Do you use proxy? If this is the case, you must create a stream context with the proxy details.
Did you re-initialize your webserver on changing "allow_url_fopen"?
OR
The user agent "PHP" may be disallowed on the server you are querying.
OR
From the PHP Manual page: Note: If you're opening a URI with special characters, such as spaces, you need to encode the URI with urlencode().
You can do a test of the php.ini settings like this...
if (ini_get('allow_url_fopen') == '1') {
// use fopen() or file_get_contents()
} else {
// use curl or your custom function
}
Not sure, but try:
if(($fp=fopen('http://www.google.com/', 'rb'))!=null)
{
// for php5 and up or use fread for php4
$contents = stream_get_contents($fp);
fclose($fp);
}