I'm trying to write a PHP script to copy the files from your local machine to a server:
$destination_directory = 'I:\path\to\file\' . $theme_number;
if(!#opendir($desination_directory)) {
echo 'Sorry, the destination directory could not be found.';
die();
}
I check the access to the destination folder with that process, and I keep getting the error return. Anyone know what I'm doing wrong? I pretty much have everything else in place. I just don't know how to access this other server.
Addendum: I accepted an answer below, because it is technically correct, and I was able to get the Apache server to be accepted by the IIS server, however, for what I was trying to accomplish (giving anyone who used the script unfettered ability to move files to the server), it was infeasible. I would've had to set up specific functionality on each of their computers. It seems the best workaround would be to establish the script on the server to which you would like to copy your files, and then move them from your local drive to that location in a more traditional means. That would mean a file server with CGI-exec capabilities, though, which our server did not possess.
I'd guess that you are on windows and that you have I: mapped to a share such as \\server2\files ...
If so, that's your problem. These mappings are only avaialble to the current users (eg, the admin account), not to the IUSR account that your php is probably running as (assuming IIS). Solution, don't use mappings, instead use the full 'unc' path name, ie '\\server\share\folder\file.ext', also remember that the IUSR account will need access to these shares/folders/files
Is this other server accessible via I:\path\to\file\\?
If PHP is reporting an error opening the directory, you might want to make sure it exists and you have access permissions to it.
Also, the two slashes (\\) may be causing problems too. Try checking that.
$destination_directory = 'I:/path/to/file/' . $theme_number;
You might also want to look at the FTP functions.
Related
Good day! I have hit a wall.
I'm trying to get PHP to load a file from a folder on another server and have tried so many methods and variations of permissions (IIS/PHP use Windows Authentication) but have yet to find a solution. I am so close I can taste it.
The files are in a folder on the other server e.g. \\otherServer\my_photos
In order to access them this I have created a symbolic link on the server hosting the PHP site, e.g.
C:\my_photos > \\otherServer\my_photos
I am then doing various tests to determine whether or not the page has access, e.g:
$path = 'C:\\my_photos';
$isReadable = is_readable($path);
var_dump($isReadable);
The above returns TRUE.
However, if I do this:
$path = 'C:\\my_photos\photo_1.jpg';
$isReadable = is_readable($path);
var_dump($isReadable);
It returns FALSE.
The permissions on the file photo_1.jpg are identical to the folder my_photos so I suspect the cause is something else, such as some sort of security restricting affecting access to files on other servers, but I am out of ideas. I will reward any assistance with virtual gratitude and am even willing to draw you a picture with a personal message.
UPDATE:
If we switch Windows Authentication off and Anonymous Authentication on (running under the ApplicationPoolIdentity) it works, which seems to suggest that a) it's not some confusing cross-server security issue and b) the problem may relate more to the way PHP/fastCGI impersonates Windows users. Will switch back to Windows auth and keep testing!
I managed to get this working (after three days of head-scratching) by changing the FastCGI 'protocol' from NamedPipe to TCP, as detailed in this answer:
https://stackoverflow.com/a/41367358/1358231
I'm still not entirely sure why this works but will keep looking. In the end there was no need for a symbolic link (or mapped drive) - we could access the remote file directly via the UNC path.
You forgot to escape the slash preceding the directory name. It should look like this.
$path = 'C:\\my_photos\\photo_1.jpg';
$isReadable = is_readable($path);
var_dump($isReadable);
Every slash gets escaped, so, \otherServer\my_photos would become:
$path = '\\\\otherServer\\my_photos';
Note the four slashes before the server name, and the two slashes before the directory name.
So I've never seen this before. I have an EC2 server (first time setting this up) using Debian Linux and Apache 2.2. Using a path like so /js/file.js is looking for http://js/file.js. On my local machine and my dreamhost shared server I don't have this problem. In fact I've never seen this problem on a server before. What it should do is look for http://domain.com/js/file.js. Does anyone have some idea of why this could be happening? I've poured over my php.ini file and don't have any hint at what I should change or add to fix this.
What kind of syrup did you "pour" over your php.ini file? It may have gummed up the works! ;)
Have you looked in the output HTML via your browser (View > Page Source), and what you're getting is http://js/file.js? Is that src="http://js/file.js" in a tag? Adding http://domain.com/ should be the work of the browser, not the server. Some browsers display URLs with the domain already added, while others show exactly what you sent to the page. Are you sending any tags that maybe are missing the domain? I think it's only supposed to apply to relative URIs, but it's worth checking. Did you actually use js/file.js or /js/file.js? They're very different.
Ok, so I figured it out. The problem was that on my local machine and on my other server I was not at the root domain so I was using $_SERVER['SCRIPT_NAME'].DIRECTORY_SEPARATOR."js/" to determine the root url to make an alias to the js files path. This returned /app/js/. This worked fine when the files where in a sub folder from the domain somewhere e.g. domain.com/app/js/file.js.
However once I was installing this app on my server and it was the root application $_SERVER['SCRIPT_NAME'].DIRECTORY_SEPARATOR."js/" was returning //js/. That was the problem! That is not the same as /js/. That was bypassing the domain as part of the url and instead telling the browser to look at http://js like it was a fully qualified url. I am assuming // is shorthand for http:// though I've never tried this before.
To fix this I hacked together this function based off of something in the Yii Framework, which is what I'm using for this application.
function getBaseUrl() {
$scriptName=basename($_SERVER['SCRIPT_FILENAME']);
if(basename($_SERVER['SCRIPT_NAME'])===$scriptName)
$_scriptUrl=$_SERVER['SCRIPT_NAME'];
else if(basename($_SERVER['PHP_SELF'])===$scriptName)
$_scriptUrl=$_SERVER['PHP_SELF'];
else if(isset($_SERVER['ORIG_SCRIPT_NAME']) && basename($_SERVER['ORIG_SCRIPT_NAME'])===$scriptName)
$_scriptUrl=$_SERVER['ORIG_SCRIPT_NAME'];
else if(($pos=strpos($_SERVER['PHP_SELF'],'/'.$scriptName))!==false)
$_scriptUrl=substr($_SERVER['SCRIPT_NAME'],0,$pos).'/'.$scriptName;
else if(isset($_SERVER['DOCUMENT_ROOT']) && strpos($_SERVER['SCRIPT_FILENAME'],$_SERVER['DOCUMENT_ROOT'])===0)
$_scriptUrl=str_replace('\\','/',str_replace($_SERVER['DOCUMENT_ROOT'],'',$_SERVER['SCRIPT_FILENAME']));
else
throw new Exception('The App is unable to determine the entry script URL.'));
return rtrim(dirname($_scriptUrl), '\\/');
}
I hope this helps someone else.
I need to connect to a mysql database using PHP. I am storing my login, user, password, and other info in a separate php file (let's say "mysql_connect.php") and then accessing it via require_once (mysql_connect.php) in a different file.
I have done a bit of googling and I know that I am supposed to keep "mysql_connect.php" out of the web root. I have moved it outside of the html folder and tried calling to it by using "../../mysql_connect.php" This is not working, it gives me an error "function not found" or something like that. Upon googling that, the internet says that its because it can't locate the file i'm referencing. When I move mysql_connect.php into a folder below root, everything works fine. The issue is because it is moved outside of the web root (i think).
I have been googling for two days now and cannot find a detailed explanation on how to get this to work. Something about changing the .htaccess file? I've read a bunch of articles on the theory but I am really looking for a step-by-step tutorial (I am a beginner). The only step-by-step tutorials I can find just tell you to put the config.php file into the same folder which is not secure.
Also in reading, it says that putting mysql_connect.php above root might not be THE most secure way to store the information as it is still basically just a .txt file and it can be retrieved easily(like downloading it). I am looking for a balance between secure and also do-able (for a beginner like myself). The mysql database I am trying to protect will not have any personal information and I plan on using a dedicated server (with no other information on it).
Can any one help me to solve this issue?
it gives me an error "function not found" or something like that.
This.
Is your main problem.
You either didn't bother to read this error message yourself nor didn't bring it here to help us to help you.
While
there is no problem in having this file below document_root,
and there is no problem in having this file above document root either,
the only problem you have is to assign a correct filename.
And the error message you got could help you more than 1000 volunteers from this site.
Despite of that, you can use PHP predefined variable to make this path work from whatever part of your site. Aassuming the file is one level above the document root, the code would be
require($_SERVER['DOCUMENT_ROOT']."/../mysql_connect.php");
however, this one may produce an error too, as nobody knows a real file locations. Thus, you may read the error message and corect the paths. Or post it here and get an interpretation
You can store the database information inside your web server configuration.
If you run Apache you can use SetEnv inside the VirtualHost. Since you're still on a shared host, your server admin probably need to help you with this. You can read more about this approach here.
... tried calling to it by using "../../mysql_connect.php" This is not working, it gives me an error "function not found" or something like that.
Include the connection details with:
require_once("../../mysql_connect.php");
This assumes that the file mysql_connect.php is two levels up from the currently executing script.
The database connection details will always be able to be read by whomever has administrative access to the server. It is not feasible to encrypt the file, because you would still need to store whatever key or password needed to decrypt it on the server as well, which would still not hide it from the server administrators.
Besides moving out of the web-root (which is a good step forward) an approach I've seen used is:
// at the top of your index or bootstrap file
define('SECURED', true);
And:
// at the top of any file subsequently included, such as mysql_connect.php
if(!defined('SECURED'))
{
exit();
}
This will at least prevent the file(s) from being accessed (executed) directly. This is helpful is the to-be-included files would otherwise issue a warning or error, that could potentially dump sensitive data as output.
If you're in a shared hosting environment you won't be allowed access outside of document root (most likely). You will need the password therefore it won't be completely secure. Instead, you can look into creating seperate mysql users with priviledges and limiting connections to to local accesses only.
i know i'm new, but something as simple as form for your login should be checked in order for it to work.
<form action="insertphpfilepath.php" method="POST">
and then in "insertphpfilepath.php", would have the mysql_query to check the login and password, not forgetting the mysql_query for connecting to the database and table using the right username and password .
a newbie recommendation to you for use mysql_real_escape_string for any $_POST['login'] so that it would become $login=mysql_real_escape_string($_POST['login']); for evading mysql injection.
I would like to ensure that any scripts that are trying to "include" my database connection file are located under my own domain. I don't want a hacker to include the database connection file to their malicious script and gain access to my database that way. My connection file's name is pretty easy to guess, it's called "connect.php". So without renaming it and taking the security through obscurity route, how can I protect it by making sure all connection requests are made by scripts residing under my own domain name? How can this be checked using PHP?
Generally speaking if someone tries to include a file on your domain, they will see the results of the execution of that file. What do you see when you load the connect.php script in your web browser? Thats what they'll see as well if they try to include a remote file.
That said, its generally a good idea to keep important files inaccessible from the outside of your public web space. So, if your website is /var/www/yoursite/ then keep your connect.php in /some/dev/dir/yoursite and include the files from your pages using require_once '/some/dev/dir/yoursite/connect.php';
thetaiko's answer addresses the fundamental issues here - but if anyone else has access to run code on the server (i.e. its a shared server) then access to the file will depend on how the server is configured.
There are lots of ways that access might be constrained - e.g. suphp, base_opendir, multiple chrooted servers. The only way to find out what's going on for sure is to casr yourself in the role of the hacker and see if you can access files outside your designated area.
C.
What do you mean by including your connection file? If a script does include "connect.php" then they can see the source code of the file, so whatever security measures you add to that file will be pointless, as it will be like:
if($notFromHostname)
{
echo "DONT LOOK AT THIS";
die();
}
define('DB_PASS',"myPassword");
...
And the "hacker" will clearly be able to see your password. You are probably better off using something like iptables to deny hosts that are not from a specific domain.
Are you on a shared server and don't want other users of the same server instance to be able to get at your files? That'd be up to your server provider, then, to provide some sort of chroot or virtual system to keep your things in. For Apache, mod_suid can accomplish this nicely, and each vhost gets its own userid and permissions set.
If you want external users to not be able to get at your files, then unless you've badly munged your code, or the server's badly misconfigured, then all they'll get when they visit http://yourserver.com/connect.php is a blank page
No other user than yourself should have access to your PHP files in any way, as Felix mentioned. However, this is how you'd check in PHP:
if($_SERVER['SERVER_NAME'] != "example.com")
die("I've been kidnapped!");
I need to access an Excel file on a Windows Share using PHP but seem to be running into what looks like an authentication issue.
I'm using PHP-ExcelReader to open and read the file. Works fine on my local machine but the server I'm putting it on doesn't have the rights to access this share, and so its telling me that the path is unreadable!
I'm not even sure the path I have for accessing this share is correct:
$file_to_include = "\\\\10.9.8.7\depts$\ExcelFile.xls";
But it works on my machine, as I said so I'm happy with that.
Is there any way I can add my credentials in here somewhere?
Path \\10.9.8.7\depts$\ExcelFile.xls must be locally accessible to the client, since PHP has no SMB support.
EDIT: At least not natively, try smb4php
Your path is correct.
One thing you could try is to share the drive on the server, then map the shared drive on each users computer (make sure they are all the same drive letter, or name), or just your computer. If it's not too many, the users computers would be better, in case you're out, or forget to authenticate. This way, when the user authenticates, it opens the drive up. You can then call the drive via something like:
$file_to_include = '\\\\'.$_SERVER['REMOTE_ADDR'].'\mappedDrive\file.xls';
You path is correct, but keep in mind, that $ amd backslash is a special-char in php when using double quotes.
So you could either write:
$file_to_include = '\\10.9.8.7\depts$\ExcelFile.xls';
or you use double quotes but you add a extra backslash before the special signs
$file_to_include = "\\\\10.9.8.7\depts\\\$\\ExcelFile.xls";
or you yust use forward slashes as directory separator, but the dollar still must be escaped
$file_to_include = "\\\\10.9.8.7/depts/\$/ExcelFile.xls";
About the authdata: if you are running a php file, it usually inherits the permissions of the starting process.
What means, if you already saved the auth for this share in your explorer and you are starting a php, the php file inherits this already saved permissions.
But dont forget, when you run a php in a webserver, this webserver is maybe running in a different user, which dont has the same permissions like your currently logged in user.