I have an image upload form in a secured (with Redux) admin area of my website. When SWFAddress uploads it's not seen as logged in.
I created a multiple image upload form with SWFUpload and a back-end script with CodeIgniter. To cut a long painful story short - it all worked fine and dandy with the security turned off for testing purposes.
But when I turn the authentication back on, the uploader is getting my response "Not Authenticated" from the server? How can I make the form be authenticated?
He is my CI script:
<?php
class Api extends Controller {
function Api() {
parent::Controller();
// Check authentication by turning the security on
if ($this->redux_auth->logged_in())
else {
$this->_returnError('Not Authenticated');
exit;
}
}
function upload() {
// ... i've shortened this bit ...
if ( ! $this->upload->do_upload('Myfile'))
{
//echo "fail";
}
else
{
//echo "success";
}
}
I'm really out of my depth here, as I don't really much about how communication is actually handled by the browser and the server. Any help will be appreciated?!
I tried adding to
post_params: {"PHPSESSID" : "session->userdata('session_id'); ?>"},
To my instance os SWFObject. This didn't make and difference.
I can't get it to login by comparing the session ids. I've set up limited access to the upload script by comparing the upload IP with the users IP contained in the session. I am unsure of how safe this is.
btw, for anyone reading. in research I found out doing the necessary edits to the mimes.php files for swfupload allows for the upload of .php files. see here:
http://codeigniter.com/forums/viewthread/97399/P30/
Related
So, I have code on my server. I want someone else's website to load my HTML, CSS, and PHP code into their website but only if they have the correct license key in their PHP loader thing.
# This is their code, the loader
include('https://example.com/index.php')
$license_key = 00000000;
#This is MY code that's being loaded into their website
$valid_license_keys = ["10203", "000000"];
if ($license_key == $valid_license_keys) {
echo Valid, loading page.;
} else {
echo "<h1>INVALID LICENSE!!!</h1>"
}
How can I actually make it work
When you loading any file from 3rd site it will take some time and then your application will be very very slow.
Change your technical solution.
For example Ioncube Encoder solution. PHP files are encoded and your code is safe.
Hey there so I have sent in a support ticket to go daddy but they aren't being very helpful. In an admin panel for one of my client's websites there is an AJAX image uploader. Normally I don't work with Go Daddy and the script has always worked just fine with other hosts. However this client has forced me into dealing with Go Daddy's mess of a system and I am having trouble getting the AJAX image uploader to work.
The problem seems to be that the $_SERVER['HTTP_X_FILENAME'] is simply not defined, even when a file is posted to PHP using an HTTP request.
In my PHP code I have the following line to grab the file name:
$fn = (isset($_SERVER['HTTP_X_FILENAME']) ? $_SERVER['HTTP_X_FILENAME'] : false);
And on Go Daddy it returns false. Also if I print_r($_SERVER); HTTP_X_FILENAME isn't even defined.
I have checked permissions and everything has the correct permisssions. I have checked the error log and no error is being generated. I have checked the php.ini and file uploads is enabled with a 32mb max (way bigger than any file i'v tested with)
I have no idea where to look now as my google searches have come up with nothing. (And server admin really isn't my forte)
any help would be much appreciated.
thanks!!
Ok, I got this working. Not sure how you manage saving files on pw when using admin. Do they got saved directly to assets/files/id/ folder or is there tmp somewhere?
// We check if it is image upload
$filename = (isset($_SERVER['HTTP_X_FILENAME']) ? $_SERVER['HTTP_X_FILENAME'] : false);
if ($filename) {
$this->message("It is a file coming!");
file_put_contents(
'C:/Temp/' . $filename,
file_get_contents('php://input')
);
} else {
if(!$this->isAjaxPost) throw new WireException("This functionality may only be accessed from AJAX POST at present");
// etc etc...
}
And now I am able to save my files to C:/Temp/. Not sure about the best way to handle this from this situation? Save it to temp folder and use regular pw API and save the file? Or save it right to assets/files/id/ folder and then use API? I can easily send more data (like field name) as a http headers.
If we save it directly to right place (probably safe since this is admin usage), how I get the right path? $config->paths->files->3242 or something like that?
This is how I call the editor:
new nicEditor({
buttonList : ['bold','italic','underline','upload'],
iconsPath:'img/nicedit.png',
uploadURI : 'http://server.com/integracion/files/nicUpload.php'
}).panelInstance(textareaId);
And the .php file exists ( and I the one in the Docs, and I updated the target paths )
/* I want them here http://server.com/integracion/files/uploads/ so... */
define('NICUPLOAD_PATH', './uploads'); // Set the path (relative or absolute) to
// the directory to save image files
define('NICUPLOAD_URI', '/uploads'); // Set the URL (relative or absolute) to
// the directory defined above
But I on response when upload completes (and of corse an alert from nicedit..)
<script>
try {
top.nicUploadButton.statusCb({"error":"Invalid Upload ID"});
} catch(e) { alert(e.message); }
</script>
what am I missing?
-EDIT
I think the problem might be in the php file:
$id = $_POST['APC_UPLOAD_PROGRESS']; /* APC is installed and enabled */
if(empty($id)) {
$id = $_GET['id'];
}
FINAL EDIT:
I have managed to make this work!
Here is an working example:
http://simplestudio.rs/yard/nicedit/
Uploaded images are going to be stored here:
http://simplestudio.rs/yard/nicedit/images/
And here is the whole code, just unpack it and put on your server, mainly I needed to adjust nicEdit.js because it had some issues.
http://simplestudio.rs/yard/nicedit/nicedit.rar
Just make your code with that js file and by looking at my example, it will work :)
Also you need to have php APC installed so that this script can work:
http://php.net/manual/en/apc.installation.php
If you by any mean have some problems I am here to solve it.
I will not delete this example on my server so that everybody who have this issue can freely download it...
The code responsible for image upload is the method uploadFile, it is looking for uploadURI option parameter.
You will need to modify onUploaded event handler to parse your custom response instead of the imgur's one (sample). By default it expects at least {"upload": { "links": {"original": "http://..."}, "image": {"width": "123" } }}.
I'm sorry but I can't help with the FormData() handling server side with PHP.
For more information you can try out the demo page on the nicEdit web site using Firebug or WebInspector to snoop the network requests, and, of course, the source code.
I'm working on a major Flash project that is going to be the core content of a site.
As most of you well know, almost any site can be entirely copied by copying the cached files and the hierarchy (files and folders structure), and it would run without problems on an Apache server with PHP enabled, if used.
What I would like to know is: How to bind SWF files to run on a specific host?
The SWFs will be encrypted, so outsiders won't have access to the methods used to stop the SWF from running on a different host, question is: what method to use?
I think the solution could be hardcoding the host IP inside the SWF, so if the SWF is looking for 123.123.123.123, only a host with that IP would allow the SWF to run further.
The issue is that AS3 alone can't discover the host IP or could it if it's trying to load a resource file? Anyway, that's why I need your help.
EDIT: Ok, seems someone asked for something similar earlier: Can you secure your swf so it checks if it is running on a recognized environment?
I'll try that and see how it works, but the question is still open in case anyone has different suggestions.
I use this method to determine if I am on dev or production in my config files.
var lc:LocalConnection = new LocalConnection();
switch ( lc.domain ){
case "myDomain.com":
case "":// local file reference for dev
case "localhost":// local file reference for dev
case "dev.mydomain.com":// local file reference for dev
break;
default:
// unknown domain do crash the app here
}
One method you could try is a php script that the swf sends a request to and must receive a correct reply from before it continues to operate. Since people can't get at your server-side php, they can't get the needed code to simulate that reply.
The SWFs will be encrypted, so outsiders won't have access to the methods used to stop the SWF from running on a different host
Since the file will run on a client computer (and thus they key would have to be stored in an accessible way), this isn't really that much of a protection.
The best way would probably be to have part of the SWF-logic on the server, and not give access to that part from third party hosts (by using the crossdomain file).
Look into the idea of wrapping main inside a type of preloader, and putting main into a secure dir on the server. I cant remember how this gets around the cache problem, but it had to do with how the wrapper loads main.
Something like this:
// preloader.as (embedded in fla)
var imageLoader:Loader;
function randomNumber(low:Number=NaN, high:Number=NaN):Number
{
var low:Number = low;
var high:Number = high;
if(isNaN(low))
{
throw new Error("low must be defined");
}
if(isNaN(high))
{
throw new Error("high must be defined");
}
return Math.round(Math.random() * (high - low)) + low;
}
function loadImage(url:String):void {
imageArea.visible=false;
preloader.visible = true;
// Set properties on my Loader object
imageLoader = new Loader();
imageLoader.load(new URLRequest(url));
imageLoader.contentLoaderInfo.addEventListener(ProgressEvent.PROGRESS, imageLoading);
imageLoader.contentLoaderInfo.addEventListener(Event.COMPLETE, imageLoaded);
imageArea.addChild(imageLoader);
}
// DOIT!
loadImage("main.sw?"+randomNumber(1000,10000)); //NOT A TYPO!
//loadImage("main.swf"+randomNumber(1000,10000);
function imageLoaded(e:Event):void {
// Hide Preloader
preloader.visible = false;
}
function imageLoading(e:ProgressEvent):void {
// Get current download progress
var loaded:Number = e.bytesLoaded / e.bytesTotal;
// Send progress info to "preloader" movie clip
preloader.SetProgress(loaded);
}
/// this is main.sw //NOT A TYPO
<?php
// Tried this - abandoned
// session_start();
//
// if(isset($_SESSION["flash"])) {
// $referrer = $_SERVER["HTTP_REFERER"];
// $referrer = parse_url($referrer);
// if($referrer["host"] != $_SESSION["flash"]) {
// echo "Permission denied.";
// exit();
// }
// } else {
// echo "Permission denied.";
// exit();
// }
//
// unset($_SESSION["flash"]);
header("Content-type: application/x-shockwave-flash");
readfile("/secure/main.swf");
?>
// main.as
public function onCreationComplete(event:Event):void{
Security.allowDomain( "*" );
Security.loadPolicyFile( "crossdomain.xml" );
}
// crossdomain.xml
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
That should get you started. The idea here was to prevent anyone from getting main on their machine- I am not sure if it worked.
You may have a server-side page generate a key using a date-based algorithm which is passed via flash var to your swf. This way a "copied" key won't work because by that time, the valid date will have passed. From what I understand, this would essentially be like using an RSA token.
Aside from this, any security you have will also need code to be inside your SWF to validate your token. The problem here is that SWFs are known to decompile quite easily. Meaning that your code isn't safe :( You could obfuscate your AS3 in hopes to confuse any "hackers".
All in all, I've never attempted anything like this, so let us know how it goes!
I just stumbled over a problem using the Dropbox API.
Currently I am using the this lib: http://code.google.com/p/dropbox-php/
The problem is, if I upload a file I get a success but nothing arrives at the Dropbox.
I also "hacked" into the library and changed some of the post stuff. I can post it if you want.
Anybody got a solution for that?
Thanks!
//EDIT: I am using PHPs integrated OAuth functions
//EDIT2:
<?php
include "class/Dropbox/autoload.php";
$oauth = new Dropbox_OAuth_PHP("xxxxxxxxxxx", "xxxxxxxxxxx");
$dropbox = new Dropbox_API($oauth);
//re-login
if(isset($_SESSION["oauth_tokens"])) {
$my->oauth->setToken($_SESSION["oauth_tokens"]);
}
//uploads itself to DB
if($dropbox->putFile( basename(__FILE__), __FILE__ )) {
echo "Success";
} else {
echo "Fail :(";
}
sure this is not the complete code but assume that the user is logged in. :)
Dropbox for PHP, the library you're using to upload files to Dropbox, isn't maintained anymore and therefore may not function properly.
Try out PHP Dropbox Uploader. It is mentioned on the official Dropbox wiki.