php-general Digest 23 Sep 2007 13:51:01 -0000 Issue 5034
Topics (messages 262379 through 262387):
Re: MAX_FILE_SIZE not working with file uploads
262379 by: Ray
262380 by: Jim Lucas
262381 by: brian
262382 by: brian
262383 by: brian
262384 by: Jeff Cohan
Install InnovaStudio as a joomla Mambot
262385 by: abderrazzak nejeoui
Re: Limiting connection to mysql using old mysql module (not mysqli)
262386 by: Per Jessen
Getting PHP CLI on machine without compiling or changing the other part of the
system
262387 by: Peter Lauri
Administrivia:
To subscribe to the digest, e-mail:
[EMAIL PROTECTED]
To unsubscribe from the digest, e-mail:
[EMAIL PROTECTED]
To post to the list, e-mail:
[EMAIL PROTECTED]
----------------------------------------------------------------------
--- Begin Message ---
On Saturday 22 September 2007 7:39:01 pm Dan Parry wrote:
> > -----Original Message-----
> > From: Ray [mailto:[EMAIL PROTECTED]
> > Sent: 23 September 2007 02:25
> > To: [EMAIL PROTECTED]
> > Subject: Re: [PHP] MAX_FILE_SIZE not working with file uploads
> >
> > On Saturday 22 September 2007 7:44:55 pm Jeff Cohan wrote:
> > > Dan Parry wrote:
> > > > I might be wrong but this would be classed as
> > > > 'exploitable'... Webservers should not be allowed
> > > > to read from or write to clients... Of course there
> > > > is ActiveX...
> > >
> > > I think we're off the point.
> > >
> > > My script is simply interrogating the value of the
> > > $_FILES[userfile][size] array element. It's coming up as ZERO if it
> > > exceeds the MAX_FILE_SIZE.
> >
> > Exactly, no valid file was uploaded. The size of the valid file is
> > therefore
> > zero.
> >
> > > That seems odd to me.
> > > But maybe that's
> > > the way it's SUPPOSED to work. That's why I started this thread out
> > > with "What am I missing?".
> > >
> > > Said another way:
> > >
> > > It seems that the server had to know the size of the file in order
> > > to know it exceeded MAX_FILE_SIZE. So how can my script find out the
> > > size?
> >
> > Can you use Javascript to check file size client side, send data via
> > AJAX then
> > issue warnings
>
> This would be the exploitable 'feature' I mentioned... Client-side files
> should never be readable
>
> Dan
If the contents of a file were readable, I would definitely agree with you.
I'm not convinced that the ability to detect the filesize of a file that the
user selected would be exploitable, but it's a moot point as it doesn't work
in javascript. (as someone else pointed out, maybe activeX?)
I'm not a javaScript expert, but I am learning, so I dug out the book, and put
together the following script. (Ugly, insecure, and doesn't really do
anything, but quick and It works, at least on my machine/browser combo)
Select a file, and the page will tell you everything It can about the file. My
machine reports size as zero.
Ray
(Script guaranteed to occupy 0 or more bites of diskspace.)
<html>
<head><TITLE>test</TITLE>
<script type="text/javascript">
function uptest()
{
alert (document.test.fileTest.defaultValue);
alert (document.test.fileTest.form);
alert (document.test.fileTest.name);
alert (document.test.fileTest.readOnly);
alert ('size follows');
alert (document.test.fileTest.size);
alert (document.test.fileTest.type);
alert (document.test.fileTest.value);
}
</script>
</head>
<body>
<form name="test" method="post">
File: <input type="file" onchange="uptest()" name="fileTest"/>
</form>
</body>
</html>
--- End Message ---
--- Begin Message ---
Jeff Cohan wrote:
Dan Parry wrote:
I might be wrong but this would be classed as
'exploitable'... Webservers should not be allowed
to read from or write to clients... Of course there
is ActiveX...
I think we're off the point.
My script is simply interrogating the value of the
$_FILES[userfile][size] array element. It's coming up as ZERO if it
exceeds the MAX_FILE_SIZE. That seems odd to me. But maybe that's
the way it's SUPPOSED to work. That's why I started this thread out
with "What am I missing?".
Said another way:
It seems that the server had to know the size of the file in order
to know it exceeded MAX_FILE_SIZE. So how can my script find out the
size?
OK, not sure why anybody has pointed this out, but...
A signed Javascript session is allowed to access the local file system
through the browser. But an un-signed JS process/session is not.
Now, the reason that PHP can't do anything about the file upload while
in process, is that PHP doesn't know anything about the file upload
until Apache/IIS/... hands off the uploaded file to PHP.
Apache is actually the part receiving the uploaded file. Once it is
completely uploaded, the web server passes the temporary file name to
php and then php gets what information about it it can.
Try trapping the error. You will probably want to try with a setting in
the php.ini or a .htaccess file that will change your error_handler
function to some custom function that you can then use to allow the
script to continue running, but capture and pass off information to the
rest of your scripts.
Then see if in the $_FILES array you find a temp file name. before your
script ends, you might be able to look at the stats of that temp file
and gleam some of the information that you are wanting to know from it.
Remember, when uploading a file, your scripts are only parsed before the
upload actually starts. Once your upload completes, successfully, will
it then execute your php scripts.
From what research and testing that I have done, this is the way PHP
handles uploads. This was on a Redhat/Apache/PHP4 setup. back about 6
years ago.
Hope it is still accurate.
Jim
--- End Message ---
--- Begin Message ---
Ray wrote:
On Saturday 22 September 2007 7:39:01 pm Dan Parry wrote:
This would be the exploitable 'feature' I mentioned... Client-side files
should never be readable
Dan
If the contents of a file were readable, I would definitely agree with you.
I'm not convinced that the ability to detect the filesize of a file that the
user selected would be exploitable, but it's a moot point as it doesn't work
in javascript. (as someone else pointed out, maybe activeX?)
If Javascript can read the *directory* (and, thus, the size of the file)
i'd be a bit nervous about that.
I'm not a javaScript expert, but I am learning, so I dug out the book, and put
together the following script. (Ugly, insecure, and doesn't really do
anything, but quick and It works, at least on my machine/browser combo)
Select a file, and the page will tell you everything It can about the file. My
machine reports size as zero.
Wouldn't that suggest that it's not working, then? ;-)
Anyway, your script is interrogating the file *input element*, not the
file, itself. Where you're trying to get the file size
(document.test.fileTest.size) you're actually grabbing the value of the
input's "size" attribute, which has a default of 0. You'll see this if
you edit the input to have, eg. size="100"
brian
--- End Message ---
--- Begin Message ---
Jeff Cohan wrote:
Dan Parry wrote:
I might be wrong but this would be classed as
'exploitable'... Webservers should not be allowed
to read from or write to clients... Of course there
is ActiveX...
I think we're off the point.
My script is simply interrogating the value of the
$_FILES[userfile][size] array element. It's coming up as ZERO if it
exceeds the MAX_FILE_SIZE. That seems odd to me. But maybe that's
the way it's SUPPOSED to work. That's why I started this thread out
with "What am I missing?".
Said another way:
It seems that the server had to know the size of the file in order
to know it exceeded MAX_FILE_SIZE. So how can my script find out the
size?
Not at all. The user-agent is built to ignore files that exceed the
MAX_FILE_SIZE value. The hooks into the OS that it utilises to send the
file to the server also allow it to poll the file size (if it couldn't,
things would get messy on the server, quick). But Javascript is a whole
'nother thing, and it is not (normally--see Jim Lucas' post) able to get
this information (thankfully).
So, your PHP script is not receiving a file at all.
brian
--- End Message ---
--- Begin Message ---
brian wrote:
Jeff Cohan wrote:
It seems that the server had to know the size of the file in order
to know it exceeded MAX_FILE_SIZE. So how can my script find out the
size?
Not at all. The user-agent is built to ignore files that exceed the
MAX_FILE_SIZE value.
Ack! I meant, "The user-agent *should be* built to ignore ..."
ie. MAX_FILE_SIZE is generally a client-side tool (and thus not to be
relied upon too much) but will be honoured by PHP as well (if it does
not exceed post_max_size in php.ini).
brian
--- End Message ---
--- Begin Message ---
Thank you, all who replied. This helps me understand. I might give a
try to the workarounds some suggested.
Great newsgroup.
Jeff
--- End Message ---
--- Begin Message ---
Please can some body help me to install InnovaStudio WUSISWYG as a Joomla
Mambot !
Thanks
Nejeoui
--- End Message ---
--- Begin Message ---
Stut wrote:
> Indeed, but only if you're making a lot of repetitive queries to the
> database.
Which is typically what a busy website does :-)
> However, since the OP wants to reduce the number of
> connections to the database, query caching may reduce the time each
> connection is held for it will not reduce the overall number of
> connections.
The number of connections is presumably only important if we speak about
the number of concurrent connections. If each query can be dealt with
faster due to caching, the number of concurrent connections should
drop.
/Per Jessen, Zürich
--- End Message ---
--- Begin Message ---
Hi,
In a current project we have developed a piece of software that run
independently and that only requires php5 as a CLI component.
Now we want to use this software on other machines, and the only requirement
it that the machine has php5 installed. Fine for now, but then we have
started to get request from clients to use this on their machines, as they
need our software there. Then we informed them that we need to compile php
on their machine. But due to the sensitive machines that they have, they
rejected that idea. So now we need to find a way to have PHP5 on the
machine, without compiling it on their machine and changing their
environment.
So is there any nice solution with php pre compiled and that the files are
just in a tar ball or similar, so that the php cli can be used?
Best regards,
Peter Lauri
<http://www.dwsasia.com/> www.dwsasia.com - company web site
<http://www.lauri.se/> www.lauri.se - personal web site
<http://www.carbonfree.org.uk/> www.carbonfree.org.uk - become Carbon Free
--- End Message ---
