I've just created a php snippet that allows me to upload pictures. Im working on my personal pc that runs Windows7, IIS7 and PHP.
The wierd thing is that Im allowed to upload and it works great, but if i go to the folder: c:\inetpub\wwwroot\imgupload\uploads and try to view the image then im now allowed because i dont have any rights. Adding my user to file rights solves the problem but thats a bit silly aint it? im using php's move_uploaded_file()
any thoughts?
The webserver (IIS) and PHP run with different permissions as you yourself. It's the webserver that receives the file and writes it to disk. So it is entirely reasonable that someone else (i.e. you) does not have access to it.
The problem is that the 'user' creating the images isn't you, it is IIS. Consequently, you don't own the image, the server does.
You could try to do a chmod($file, 777); after the file has been created to make it publicly accesible.
Related
I need to prevent people from downloading .zip files in my server unless they are logged in. For this purpose and since I'm also using MediaWiki and I would like to have to modify the least this as I'm not familiar with it I was thinking about doing the following:
When a user wants to download a .zip file, it will be redirected by the server (with a web.config rule) to something like download.php?file=fileName and inside the PHP, I can do my programming to see if he's logged in and then use readFile() to give him the file.
However I'm not familiar with IIS (not much more with Apache either) and I'm totally clueless as how to write this rule. Could someone please help me out on this?
I'm also open to other suggestions. Putting the upload folder in a place not accessible to the public (but to the server) may do the trick but images are also uploaded then and then they wouldn't download. I could, again modify the behavior of the upload system myself but as it's done by MediaWiki I would prefer not to.
I have found this code (by using a .htaccess to web.config online translator) but it's not working. Maybe it's easier for you to just fix this code:
http://pastebin.com/waMJnFyK
The uploads are in subdirectories within /images like for example /images/a/ae/file.zip and I would like that when you try to open that you get redirected to a php file where as a GET input I have the file location.
Solution I took: http://pastebin.com/7skGT9uN
It redirects everything that ends in .zip within /images to download.php?fileName=whatever where the /images part is not passed.
I am trying to create a really simple webpage in php, letting people upload images to a folder on my server. I made this really simple with some done code, and it worked awesomely on my computer with xampp, but when I upload the page to my server, it gets an error message every time I upload anything. The error is when the script checks if the image was uploaded, where it says
$copied = copy($_FILES['image']['tmp_name'], $newname);
if(!$copied)
echo "error";
This leads me to believe that there is something wrong with the permissions. But how can I set this? And what should I set it to? I just need others to be able to upload images to a spesific folder.
The web server needs write permissions to be able to write into the directory you're storing the images.
Assuming you're on a Linux server, run the following command on the server (ssh) after changing /path/to/uploaded/images to the image upload directory, and see if it solves the problem:
chmod 777 /path/to/uploaded/images
If that fixes the problem, you can probably relax the permissions to something like:
chmod 664 /path/to/uploaded/images
These are basic commands for directory permissions, which you can learn more about in this tutorial about file permissions on Linux.
Alternatively, you can use move_uploaded_file() to copy the uploaded file to a known location.
I have read the following tutorial "Uploading Files To the Server Using PHP"
and have several questions related to the topics.
Q1> The tutorial mentions that
"Note that PHP must have write access
to $uploadDir or else the upload will
fail"
For me, I only allow the user to upload the file after the user has login to the website.
If we set that $uploadDir permission as 777, then everyone can have written permission to that folder. How to avoid this problems?
Also I am using WAMP as my testing bed, can I simulate the same case as a real web server?
Q2> In order to prevent Preventing direct access, the tutorial mentions:
"A better approach is to move the
upload directory away from your web
root. For example, the web root for
this site is:
/home/arman198/public_html/ to prevent
direct listing i can set the upload
directory to /home/arman198/upload/."
Now my problem is that how can I display the uploaded images on other website pages. Since, the upload is not accessible directly anymore? I need to display the uploaded image save personal headshot dynamically on other website page. Is it possible?
Thank you
It's a common problem.
All modern computers have a temporary files directory. On Linux/Unix it's /tmp, on Windows it's usually c:\temp. The OS install will have set permissions on that directory so that anyone can write files there but only privileged users can delete files that don't belong to them. This is where PHP will want to put an uploaded file; your application then has to move it elsewhere (this is the purpose of the move_uploaded_file() function). PHP under Windows may need upload_tmp_dir actually set in the php.ini file.
Once you have an uploaded file, you can shift it whereever you like, including to where the webserver can read it to serve it. The biggest problem with that it is awfully easy to put this directory inside your codebase. Don't do that. As soon as you do anything beyond editing the files inside the directory they are served from, it will be problematic. Trust me: I've dealt with a few times this in code I've inherited. It's easy to let your webserver load files from a location outside your codebase.
The other alternative is to produce a download script. That way the file need not be servable by the webserver at all. One disadvantage is that you don't get to leverage the web server's MIME translation, but then, that lets you control which types of image files are permitted.
For the second question, you can use a PHP script intead of direct access to the directory. Lets name it image.php. Lets assume that it can take a parameter id, like image.php?id=image_id. In that file you can get the id using superglobal array $_GET. Then you can search for images with that Id and just send it as response.
First one I'm not sure, but maybe play with .htaccess file.
And for the first question, try setting your permissions to 775. That should allow PHP to write the file to the directory without giving the general public write access.
I try to upload a file through PHP's ftp_put function, like so:
ftp_put($this->conn_id, $rempath, $locpath, $mode);
However I get the error "Cannot STOR." Nothing more. The FTP-connection is OK since I can download files using the same settings and ftp_get(). The script should be OK as well since it works fine on my local setup but not on my public server.
What can I try to make it work? I Googled but found nothing of worth.
You should first check to make sure that you are able to upload using a regular FTP client. I see you say "there's no problem withmy FTP-client" but in the initial request you said you are able to download files successfully and failed to mention a successful upload. I believe you will find that uploading with a client will fail too because that message is the output of FTP and not PHP. Whether or not it is a permissions issue remains to be seen, but it is unlikely a PHP issue. Do a little more research on FTP error 550.
Sounds like a permissions error. Are you sure you have permissions to upload the file to the location you are trying to put it at? If you try to do the upload manually via FileZilla or something does it work?
You should check to be sure you have write permissions on the directory into which you are trying to put the file(s).
Cannot STOR is a permission issue. Doublecheck the permissions for the FTP user.
I'm running PHP 5.2.6 on a Windows Server 2003 Enterprise box. IIS is set to deny anonymous access and use Integrated Windows authentication.
I'm using a PHP script to save a file uploaded from a web form. The file is uploaded to a temp folder, the script creates a file name and path depending on other variables from the web form, and then the script uses PHP's move_uploaded_file() to move the temp file to the final location. All that works fine. In short, people are uploading files so everyone in the group can see them and the files are organized by the script.
My problem is that the file in the final location has odd permissions. It is not ending up with permissions from either the temp location or the final location. Both the temp location and final location have the same permissions: full rights for owner and administrations; read and read/execute for 2 specific AD security groups. The final file ends up with only: full rights for owner and administrations. So while the admins and the original uploader have no problem viewing the file, all others in the group get "permission denied" when trying to access it.
Any ideas or suggestions will be greatly appreciated! Thanks!
from the php page on move_uploaded_file (nb: this worked for me):
For those using PHP on Windows and IIS, you SHOULD set the "upload_tmp_dir" value in php.ini to some directory around where your websites directory is, create that directory, and then set the same permissions on it that you have set for your websites directory. Otherwise, when you upload a file and it goes into C:\WINDOWS\Temp, then you move it to your website directory, its permissions will NOT be set correctly. This will cause you problems if you then want to manipulate that file with something like ImageMagick's convert utility.
This seems to be an issue with the move_uploaded_file() function:
http://us3.php.net/move_uploaded_file
Take a look at the comments below, take note of Florian's comment about copy().
Would copy() solve the issue?:
http://us3.php.net/manual/en/function.copy.php