I'm running PHP 5.2.6 on a Windows Server 2003 Enterprise box. IIS is set to deny anonymous access and use Integrated Windows authentication.
I'm using a PHP script to save a file uploaded from a web form. The file is uploaded to a temp folder, the script creates a file name and path depending on other variables from the web form, and then the script uses PHP's move_uploaded_file() to move the temp file to the final location. All that works fine. In short, people are uploading files so everyone in the group can see them and the files are organized by the script.
My problem is that the file in the final location has odd permissions. It is not ending up with permissions from either the temp location or the final location. Both the temp location and final location have the same permissions: full rights for owner and administrations; read and read/execute for 2 specific AD security groups. The final file ends up with only: full rights for owner and administrations. So while the admins and the original uploader have no problem viewing the file, all others in the group get "permission denied" when trying to access it.
Any ideas or suggestions will be greatly appreciated! Thanks!
from the php page on move_uploaded_file (nb: this worked for me):
For those using PHP on Windows and IIS, you SHOULD set the "upload_tmp_dir" value in php.ini to some directory around where your websites directory is, create that directory, and then set the same permissions on it that you have set for your websites directory. Otherwise, when you upload a file and it goes into C:\WINDOWS\Temp, then you move it to your website directory, its permissions will NOT be set correctly. This will cause you problems if you then want to manipulate that file with something like ImageMagick's convert utility.
This seems to be an issue with the move_uploaded_file() function:
http://us3.php.net/move_uploaded_file
Take a look at the comments below, take note of Florian's comment about copy().
Would copy() solve the issue?:
http://us3.php.net/manual/en/function.copy.php
Related
I have a 2.5GB file that I want to allow users to download after they buy it. I originally planned on hiding the file and then just using readfile to dump the file's contents with .zip headers but my GoDaddy server apparently won't allow me to use readfile on such a large file, so I'm stuck with changing the name of this important file every hour. But if someone can just list all the files on my www folder anyway then people can take it without paying for it.
Any suggestions?
As long as you don't allow indexing of the directory then they can't obtain a file listing. To do that create a .htaccess file in the directory and add:
Options -Indexes
Alternatively, if the folder has an index page this will also prevent the server disclosing a directory listing and instead serve the index page.
if you have more than 5 gig host so use the php exec command to copy your file with another name
let say you keep your file with a unguessable name in a unguessable folder
so whenever the buyer confirm the order then you copy the file to a known folder with user-generated name, then pass the link to user
if your host is linux then use cp command if it's windows use copy
use something like cp oldname.ext newname.ext or copy oldname.ext newname.ext
after a certain time you will delete the file in the known folder
I have created a php file which will open a text file(which resides in the same location along with the php file),and i also added some code thus i can change the content of the text file.It was working great in my local host but as soon as i upload the folder to a server i cant save the changed content to the file some permission related error is coming up.Is there any way thus i can forcefully change the content of the file in server?I mean is there any way thus this permission related issues can be overcome?
Access it via FTP and change the permissions to 755 which allows everyone to read / execute and only yourself to write.
Read more about permissions to find what best suits your requirements.
I have a couple of scripts that worked fine on another server.
Now that I have moved everything on to a new server, the file does not appear in the destination folder. The strange thing is that move_uploaded_file returns true.
Also, I printed the post data and there is no error.
Can you guess what's possibly going on. The files I am trying to upload as a test are very small ( 10 kb).
The move likely succeeded, check the following:
You don't have access to view the file.
Use chmod("/path/to/file.ext", 0755); to add view rights for the ftp user.
You moved the file to an location that doesn't store the file. /dev/null
You're looking in the wrong folder. Did you use a full path?
The file is removed shortly after the move.
In my case, Total Commander, used as an FTP client, truncated output to 10000 files in directory. When I connected via SSH using WinSCP I was able to see all ~14000 files in the directory.
I have read the following tutorial "Uploading Files To the Server Using PHP"
and have several questions related to the topics.
Q1> The tutorial mentions that
"Note that PHP must have write access
to $uploadDir or else the upload will
fail"
For me, I only allow the user to upload the file after the user has login to the website.
If we set that $uploadDir permission as 777, then everyone can have written permission to that folder. How to avoid this problems?
Also I am using WAMP as my testing bed, can I simulate the same case as a real web server?
Q2> In order to prevent Preventing direct access, the tutorial mentions:
"A better approach is to move the
upload directory away from your web
root. For example, the web root for
this site is:
/home/arman198/public_html/ to prevent
direct listing i can set the upload
directory to /home/arman198/upload/."
Now my problem is that how can I display the uploaded images on other website pages. Since, the upload is not accessible directly anymore? I need to display the uploaded image save personal headshot dynamically on other website page. Is it possible?
Thank you
It's a common problem.
All modern computers have a temporary files directory. On Linux/Unix it's /tmp, on Windows it's usually c:\temp. The OS install will have set permissions on that directory so that anyone can write files there but only privileged users can delete files that don't belong to them. This is where PHP will want to put an uploaded file; your application then has to move it elsewhere (this is the purpose of the move_uploaded_file() function). PHP under Windows may need upload_tmp_dir actually set in the php.ini file.
Once you have an uploaded file, you can shift it whereever you like, including to where the webserver can read it to serve it. The biggest problem with that it is awfully easy to put this directory inside your codebase. Don't do that. As soon as you do anything beyond editing the files inside the directory they are served from, it will be problematic. Trust me: I've dealt with a few times this in code I've inherited. It's easy to let your webserver load files from a location outside your codebase.
The other alternative is to produce a download script. That way the file need not be servable by the webserver at all. One disadvantage is that you don't get to leverage the web server's MIME translation, but then, that lets you control which types of image files are permitted.
For the second question, you can use a PHP script intead of direct access to the directory. Lets name it image.php. Lets assume that it can take a parameter id, like image.php?id=image_id. In that file you can get the id using superglobal array $_GET. Then you can search for images with that Id and just send it as response.
First one I'm not sure, but maybe play with .htaccess file.
And for the first question, try setting your permissions to 775. That should allow PHP to write the file to the directory without giving the general public write access.
i'm working on a website wherein the users can upload images (uses php 4.3.11). the files are uploaded with no problem as i can see them in the upload directory and i don't get any error message, but when i try to access the uploaded files via ftp, i get an error: no such file or directory. sometimes, i am able to access the file sometimes i get this error. what could be the problem here?
[update]
thanks for the help guys. i'm not familiar with the ftp daemon stuff. but i do access my files via ftp using FireFTP. the files are there but when try to download them or change the file properties, i get the said error. i also tried uploading a file in the folder through ftp and i was able to download it with no problem.
here is some of the code i'm working on, its kind of roundabout but i'll see on how to improve it.
my working directory is something like this www.domain.com/register/
and the upload directory is here www.domain.com/register/uploads/
users are required to register and upon sign-up, a folder is created for them in the uploads directory. i couldn't find a way to create a folder without having to be in the uploads folder itself so i redirect to a create-user-folder.php file in the uploads dir.
the file just contained this code:
$user_foldername = rawurldecode($_GET['name']);
mkdir($user_foldername);
header("Location: ../form.php"); // redirect back to the page
i checked and the created folder's permission is set to 775.
and here's part of the code i use in uploading ( /register/function/function.php ):
$path = "../uploads/$user_foldername/";
for($j = 0; $j < $num_of_uploads; $j++){
if(is_uploaded_file($_FILES[$file]['tmp_name'][$j])){
$filename = $_FILES[$file]['name'][$j];
copy($_FILES[$file]['tmp_name'][$j],$path.$filename);
}
}
i checked using FireFTP and the files are in the /uploads/user_foldername/ directory and its permission is set to 664. the strange thing is that when i try to download the files, at times there would be no problem at all but there are times when the error will appear.
[another update]
i added chmod() after the copy() function,
$filename = $_FILES[$file]['name'][$j];
copy($_FILES[$file]['tmp_name'][$j],$path.$filename);
chmod($path.$filename, 0755);
but i still get the error.
another thing is that when i access /register/uploads/user_foldername/ through the url, i can see all of the uploaded files and view them, but how is it that i can't access them via ftp?
thanks again!
This is either a permission issue, or a configuration error. Here are things you should try:
What are the permission of the uploaded files? Does the FTP user has access to these files? Have you tried logging in as the user the FTP daemon would use and see if you could read the file that way?
Do you really see the correct directory? Have you verified by putting a file in that directory yourself and downloading it? Have you used the ftp command ls to verify the presence of the folder/folders/files?
You might need to chmod the folder the files are in, or in some cases the files themselves.
try chmoding them to 775
You can chmod files and folders through PHP it's self, with the chmod function. Or, you could use a FTP program such as filezilla.
Also check to make sure the intermediate directories are also permissioned as 755, as all the directories in the path need to be executable to be traversed.
i just figured out the problem. it was all because of the file name having accented characters in it, which explains why i do not always get the error message :|
<sigh> i should have seen this earlier, but anyway i hope this helps in case someone ran into the same problem.
thanks again! i really appreciate it :)