Re: [PHP] User question for PHP
To whoever was asking this (sorry didn't see the original email): Is it possible to have a PHP script execute as the user of the domain instead of the webserver? So when I upload files through a PHP script they are owned by me and not "wwwrun" or "nobody"? I was recently exchanging on this list about that very topic. It's in the archives for this list. Go to www.php.net and set the dropdown menu in the upper right corner of the page to "general mailing list", then type "File Upload Security and chmod" into the search field and hit enter. The conversation is within the first few hits on this search. The server hosting my site runs with php executing as "me" (the owner of the domain), and we covered some of the potential security pitfalls of such a situation (mainly centered on the fact that this makes any php script far too powerful). In my situation I couldn't change how the server was set up; however, the general consensus was that this situation created a number of serious security concerns that had to be very carefully addressed. I would avoid this configuration if you have the choice, based purely on the advice I received. Hope that helps, Andy
Re: [PHP] Can i take the variable name in a function?
Check this out: http://www.php.net/manual/en/functions.arguments.php Specifically this example: Making arguments be passed by reference By default, function arguments are passed by value (so that if you change the value of the argument within the function, it does not get changed outside of the function). If you wish to allow a function to modify its arguments, you must pass them by reference. If you want an argument to a function to always be passed by reference, you can prepend an ampersand (&) to the argument name in the function definition: *Example 17-6. Passing function parameters by reference* I think that does what you want? Andy On 10/11/06, Jônata Tyska Carvalho <[EMAIL PROTECTED]> wrote: I know that function does not work, but im asking if someone know a way to do that. Someone know how ??? On 10/11/06, Andy Hultgren < [EMAIL PROTECTED]> wrote: > > u no... I suppose I should have though! :) > > On 10/11/06, Jochem Maas <[EMAIL PROTECTED] > wrote: > > > > Andy Hultgren wrote: > > > Would something like this work? > > > > did you try it? ;-) > > it won't work > > > > > > > > Definition: > > > function example($$ex) { > > >echo "Variable Name is $ex"; > > > } > > > > > > example($ball); > > > > > > > > > I'm fairly new to php and not so familiar with variable variables, > > but I > > > thought I'd throw it out there as a thought! > > > > > > Andy > > > > > > > > > On 10/11/06, *Jochem Maas* < [EMAIL PROTECTED] > > > > wrote: > > > > > > Jônata Tyska Carvalho wrote: > > > > How can i take the variable name inside a function, ex: > > > > > > > > definition: > > > > function example( $ex ){ > > > > echo "Variable Name is $ex "; // how to do this? > > > > } > > > > > > > > use: > > > > > > > > example($ball); > > > > > > > > output: Variable Name is ball; > > > > > > > > another: > > > > > > > > example($sportCar); > > > > > > > > output: Variable Name is sportCar; > > > > > > > > is that possible? > > > > > > no. > > > > > > > > > > > > > > > > > > > > > -- > > > PHP General Mailing List ( http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > > -- Jônata Tyska Carvalho - -- Técnico em Informática pelo Colégio Técnico Industrial (CTI) -- Graduando em Engenharia de Computação Fundação Universidade Federal de Rio Grande (FURG)
Re: [PHP] Can i take the variable name in a function?
u no... I suppose I should have though! :) On 10/11/06, Jochem Maas <[EMAIL PROTECTED]> wrote: Andy Hultgren wrote: > Would something like this work? did you try it? ;-) it won't work > > Definition: > function example($$ex) { >echo "Variable Name is $ex"; > } > > example($ball); > > > I'm fairly new to php and not so familiar with variable variables, but I > thought I'd throw it out there as a thought! > > Andy > > > On 10/11/06, *Jochem Maas* <[EMAIL PROTECTED] > <mailto:[EMAIL PROTECTED]>> wrote: > > Jônata Tyska Carvalho wrote: > > How can i take the variable name inside a function, ex: > > > > definition: > > function example( $ex ){ > > echo "Variable Name is $ex "; // how to do this? > > } > > > > use: > > > > example($ball); > > > > output: Variable Name is ball; > > > > another: > > > > example($sportCar); > > > > output: Variable Name is sportCar; > > > > is that possible? > > no. > > > > > > > > > -- > PHP General Mailing List ( http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
Re: [PHP] Can i take the variable name in a function?
Would something like this work? Definition: function example($$ex) { echo "Variable Name is $ex"; } example($ball); I'm fairly new to php and not so familiar with variable variables, but I thought I'd throw it out there as a thought! Andy On 10/11/06, Jochem Maas <[EMAIL PROTECTED]> wrote: Jônata Tyska Carvalho wrote: > How can i take the variable name inside a function, ex: > > definition: > function example( $ex ){ > echo "Variable Name is $ex "; // how to do this? > } > > use: > > example($ball); > > output: Variable Name is ball; > > another: > > example($sportCar); > > output: Variable Name is sportCar; > > is that possible? no. > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem receiving POSTed data
Problem solved: it was indeed that the flash object did not like multidimensional data. I didn't change my PHP code one little bit. But I changed my my ActionScript code to write the data in a 1-dimensional form as follows: /*/ for(var i in _level0) { if(typeof(_level0[i]) == "movieclip") { data_lv[i + "_path"] = _level0[i]; data_lv[i + "_id"] = _level0[i]._name; data_lv[i + "_x"] = _level0[i]._x; data_lv[i + "_y"] = _level0[i]._y; } } data_lv.sendAndLoad("myScript.php", data_lv, "POST"); /**/ This works perfectly and php receives all of the data correctly. Thanks guys for your thoughts. I'm going to be posting an addition to the online ActionScript documentation to hopefully help others avoid this pitfall! Andy On 10/6/06, Andy Hultgren <[EMAIL PROTECTED]> wrote: Am working on #2 right now... On 10/6/06, Richard Lynch <[EMAIL PROTECTED]> wrote: > > On Fri, October 6, 2006 4:01 pm, Andy Hultgren wrote: > > /*/ > > $data = $_POST; > > $stuff = "\n \n Post contains:"; > > > > foreach($data as $prop => $val) { > > $stuff .= "\n {$prop}: {$val}"; > > } > > /*/ > > > > PHP does pretty minimal munging of the POST data. > > It's unlikely that Flash is sending what you think it's sending. > > Even if it is, you have two options: > > 1. Use HTTP_RAW_POST_DATA (turn it on in PHP) and write your own Flash > array parser in PHP. > > 2. Convince Flash to POST data more like PHP wants it: > id[a][prop1]=a1&id[a][prop2]=a2&id[b][prop1]=b1... > > #2 will probably be WAY easier, unless Flash is even more broken than > I think. And I think Flash is pretty broken. :-) > > -- > Some people have a "gift" link here. > Know what I want? > I want you to buy a CD from some starving artist. > http://cdbaby.com/browse/from/lynch > Yeah, I get a buck. So? > >
Re: [PHP] Problem receiving POSTed data
Am working on #2 right now... On 10/6/06, Richard Lynch <[EMAIL PROTECTED]> wrote: On Fri, October 6, 2006 4:01 pm, Andy Hultgren wrote: > /*/ > $data = $_POST; > $stuff = "\n \n Post contains:"; > > foreach($data as $prop => $val) { > $stuff .= "\n {$prop}: {$val}"; > } > /*/ PHP does pretty minimal munging of the POST data. It's unlikely that Flash is sending what you think it's sending. Even if it is, you have two options: 1. Use HTTP_RAW_POST_DATA (turn it on in PHP) and write your own Flash array parser in PHP. 2. Convince Flash to POST data more like PHP wants it: id[a][prop1]=a1&id[a][prop2]=a2&id[b][prop1]=b1... #2 will probably be WAY easier, unless Flash is even more broken than I think. And I think Flash is pretty broken. :-) -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So?
Re: [PHP] Problem receiving POSTed data
Hang on - my php code may be working fine. It might be a problem with my actionscript code - particularly that the LoadVars object I'm using to send the data might not be able to take multidimensional data (though it definitely does not say that *anywhere* in the documentation!!). Stupid actionscript documentation. Raphael, here is the code I am using (I am iterating through all of the movieclips in my flash doc and gathering data on their name and position): /*/ for(var i in _level0) { if(typeof(_level0[i]) == "movieclip") { data_lv[i] = _level0[i]; data_lv[i].id = _level0[i]._name; data_lv[i].x = _level0[i]._x; data_lv[i].y = _level0[i]._y; } } data_lv.sendAndLoad("myScript.php", data_lv, "POST"); /**/ The odd thing is that I print out the contents of data_lv and everything is there as expected in multidimensional form so I thought that was working fine, but someone on a flash message board just posted saying they thought LoadVars objects could not handle multidimensional data. So maybe even though the contents of the object print as expected, it doesn't send as expected. I'll try this in a completely one-dimensional array from flash to php and see if it works. If it does, I'll let everyone know. Andy On 10/6/06, Raphael Martins <[EMAIL PROTECTED]> wrote: Did you explicitly checked if the id1 'a' prop isn´t an array? Can you post your ActionScript codemaybe it´ll help! :D Good Luck 2006/10/6, Andy Hultgren < [EMAIL PROTECTED]>: > > Hi everyone, > > So, I'm trying to receive POSTed data which is being sent from Flash > structured as a nested array pictured (conceptually): > > "id" contains (a, b, c) > "a" contains (prop1 => a1, prop2 => a2, ...) > "b" contains (prop1 => b1, prop2 => b2, ...) > "c" contains (prop1 => c1, prop2 => c2, ...) > > where a1, a2, b1, b2, c1, c2 are values stored in the keys prop1, prop2 > etc. > of their respective arrays. That's the conceptual structure, but that > isn't > how the information is passed to PHP from Flash. In Flash (which uses > "." > notation for arrays), the data is packaged with a LoadVars object (for > those > who care) as follows: > > postObject.id1 > postObject.id1.prop1 = a1 > postObject.id1.prop2 = a2 > ... > postObject.id2.prop1 = b1 > postObject.id2.prop2 = b2 > ... > etc. > > I *think* this data *should be* received by PHP (with dots converted to > "_" since that's what I've read php does) in the $_POST array as > follows: > > $_POST contains (id1 -> a, id1_prop1 -> a1, id1_prop2 -> a2, ..., id2 -> > b, > id2_prop1 -> b1, id2_prop2 -> b2, ...) > > However, that's not what I appear to be getting from the $_POST > array. When > I run this code: > > /*/ > $data = $_POST; > $stuff = "\n \n Post contains:"; > > foreach($data as $prop => $val) { > $stuff .= "\n {$prop}: {$val}"; > } > /*/ > > and write $stuff to a .txt file, I get the following output: > > Post contains: > id1: a > id2: b > id3: c > > and that's it! No information at all about id1_prop1, id1_prop2, > id2_prop1, > etc etc. > > I am really stuck at this point. Does anyone know how multidimensional > information is passed to the $_POST variable? I know it can be done > with > HTML forms and arrays, but I'm using flash and so I think my > multidimensional array of information simply gets flattened into a > one-dimensional array when POSTed as a described above (since Flash uses > dot > notation for arrays and php changes dots to underscores and just makes > it > one long variable name). And that would work fine if that's what it was > doing, but, for some reason, $_POST doesn't seem to be receiving the > second > array dimension at all which contains all of my property information > (which > should have been flattened into the first dimension). > > If that's doesn't make any sense please let me know and I will attempt > to > clarify. Otherwise, any and all help is very much appreciated! > > Andy > >
[PHP] Problem receiving POSTed data
Hi everyone, So, I'm trying to receive POSTed data which is being sent from Flash structured as a nested array pictured (conceptually): "id" contains (a, b, c) "a" contains (prop1 => a1, prop2 => a2, ...) "b" contains (prop1 => b1, prop2 => b2, ...) "c" contains (prop1 => c1, prop2 => c2, ...) where a1, a2, b1, b2, c1, c2 are values stored in the keys prop1, prop2 etc. of their respective arrays. That's the conceptual structure, but that isn't how the information is passed to PHP from Flash. In Flash (which uses "." notation for arrays), the data is packaged with a LoadVars object (for those who care) as follows: postObject.id1 postObject.id1.prop1 = a1 postObject.id1.prop2 = a2 ... postObject.id2.prop1 = b1 postObject.id2.prop2 = b2 ... etc. I *think* this data *should be* received by PHP (with dots converted to "_" since that's what I've read php does) in the $_POST array as follows: $_POST contains (id1 -> a, id1_prop1 -> a1, id1_prop2 -> a2, ..., id2 -> b, id2_prop1 -> b1, id2_prop2 -> b2, ...) However, that's not what I appear to be getting from the $_POST array. When I run this code: /*/ $data = $_POST; $stuff = "\n \n Post contains:"; foreach($data as $prop => $val) { $stuff .= "\n {$prop}: {$val}"; } /*/ and write $stuff to a .txt file, I get the following output: Post contains: id1: a id2: b id3: c and that's it! No information at all about id1_prop1, id1_prop2, id2_prop1, etc etc. I am really stuck at this point. Does anyone know how multidimensional information is passed to the $_POST variable? I know it can be done with HTML forms and arrays, but I'm using flash and so I think my multidimensional array of information simply gets flattened into a one-dimensional array when POSTed as a described above (since Flash uses dot notation for arrays and php changes dots to underscores and just makes it one long variable name). And that would work fine if that's what it was doing, but, for some reason, $_POST doesn't seem to be receiving the second array dimension at all which contains all of my property information (which should have been flattened into the first dimension). If that's doesn't make any sense please let me know and I will attempt to clarify. Otherwise, any and all help is very much appreciated! Andy
Re: [PHP] File Upload Security and chmod
Well, seeing as I have no directory anywhere in my file structure called "/tmp" and yet my file uploads are still working, it would appear that my temporary file upload directory "/tmp" given by php_info() is somewhere outside of my root directory. So that's good news! That's were I'll be doing my file checks anyway before moving any files into my root directory. Anyway, at this point it looks like I need to buckle down and do some thinkin'. Thank you everyone for your advice, I really really appreciate it!! You guys have given me a really good foundation to start from on these questions of site security, and I appreciate you taking the time to pass on your expertise to a newcomer. All the best, Andy On 9/27/06, Richard Lynch <[EMAIL PROTECTED]> wrote: On Wed, September 27, 2006 12:12 pm, Andy Hultgren wrote: > So I've been trying to figure out where php uploads files to > temporarily > store them before I move them to their permanent storage directory, > and I'm > having some difficulties: > > -- php_info() says the temporary file upload directory is "/tmp" but I > don't > know if that's relative to my root directory or what and can't figure > out > from the documentation how that path is displayed. /tmp means the /tmp on the root of the hard drive, which your webhost allegedly isn't letting you share... HOWEVER: It is entirely possible (nay, even likely) that they have you in a ch-rooted environment where your "/tmp" is not somebody else's "/tmp" so you'll just see "/tmp" and you don't have to worry about the fact that it's not really really /tmp but somewhere else... > -- I have tried to call pathinfo() and realpath() on my > $_FILES['name']['tmp_name'] file before it is moved, but neither gives > the > full path to the file If $_FILES['name']['tmp_name'] does already have the full path, something is very wrong on your system... Note that as soon as your upload-receiving script ends, the file is deleted. You *have* to use move_uploaded_file() on it in the upload-receiving script to save the file somewhere else, or it's just gonna go away, and you ain't gonna see it never again. > Maybe I should have one of those disclaimers posted on my homepage > like the > ones that you see in taxis sometimes: "This driver never carries more > than > $20 cash." --> "This website never carries anyone's financial > information." :) :-) While there are obviously people "out there" who will just attack randomly, (spammers) I honestly believe that a valuable/useful/warm-fuzzies site (in the eyes of the attackers) is a much less likely target for an actual human attack. I have absolutely zero evidence to support that claim, other than one site that's been wide open to abuse for most of a decade, and only the mindless spam-bots bother it... :-) -- Like Music? http://l-i-e.com/artists.htm
Re: [PHP] File Upload Security and chmod
So I've been trying to figure out where php uploads files to temporarily store them before I move them to their permanent storage directory, and I'm having some difficulties: -- php_info() says the temporary file upload directory is "/tmp" but I don't know if that's relative to my root directory or what and can't figure out from the documentation how that path is displayed. -- I have tried to call pathinfo() and realpath() on my $_FILES['name']['tmp_name'] file before it is moved, but neither gives the full path to the file (which I realized after reading the documentation that neither is supposed to do). Any ideas on functions that will give the full path of the inputted file? I've been searching the php documentation and general list but to no avail. On the plus side, I did get to practice writing information to a text file, so that was fun :) Thanks for the tips on the chmod requirements for the get_image_size() function, I'm all about keep permissions as strict as possible at this point! Crap, gotta use my brain, huh? :) Seriously, thanks for the overview on how "security" should be approached and for the advice to not take general security recommendations at face value but to give them some thought, given my unique situation. This is really good for me to learn now, while I'm still implementing my security rather than later when I might have to redo everything (or might have a gaping hole based on a poor assumption). At least I won't be storing anyone's financial information, so I should only be a target for people who just want to be mean, but not people who want to get free stuff from others credit info. Maybe I should have one of those disclaimers posted on my homepage like the ones that you see in taxis sometimes: "This driver never carries more than $20 cash." --> "This website never carries anyone's financial information." :) Andy On 9/26/06, Richard Lynch <[EMAIL PROTECTED]> wrote: On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote: > So I tried to implement the example code given in the php tmpfile() > documentation and it wouldn't do anything, which suggests that I don't > have > access to the /tmp directory. Also, the FAQ's section on my server's > website say that /tmp is not shared between the servers. So, looks > like > /tmp option is out... Did they perhaps give you your own "tmp" directory elsewhere?... Sometimes you just need to poke at it to figure out where your "tmp" is, and then you can use the PHP functions that let you specify your own directory, but not the ones that assume that system /tmp is your "tmp" My host has a "tmp" dir I can use, but it ain't /tmp, and PHP routinely tries to use /tmp with some functions. G. > So, let me see if I understand the situation I'm looking at here: > > The bad side: > -- I don't have any place to put uploaded files outside of my webtree, > which > makes it tough to ensure these files cannot be surfed to once they are > uploaded, and also means I have to do my security checks while the > files are > within my webtree and potentially accessible. (BAD). Yes. Though if file uploads are working at all, looking at the $_FILES array may give you a clue as to a directory that you maybe *can* access which is your own private "tmp"... > -- Any php script on my server (created by me or somehow maliciously > uploaded) can do whatever it wants within my account because all php > scripts run as me. (also BAD). On the plus side, some of the coding gets real simple, since you are you, and you are never somebody else. :-) > The good side: > -- Uploaded files can be chmod so that nobody can read them, then I > chmod > them when I need to use them. This adds a layer of protection for > completely uploaded files. I assume this will not help with files > while > they are getting their security checks, since PHP has to be able to > read and > execute them in order to run the checks (get_image_size, etc.)? PHP needs to read them for get_image_size, but not execute. Use minimum force needed. If you are flipping the chmod around within your scripts, that reduces your risk to however long the dir remains in its 0777 (or whatever) state, which is however long your script takes to process whatever it has to process in that state. So long exhaustive checks of the validity of a file are "bad" because that leaves that window open longer, but they're "good" because the file is then more likely to be kosher. > -- Since I'm only allowing image uploads, I can strictly filter which > files > are allowed to be uploaded (with extension checks and get_image_size). Extension check is kinda useless... I
Re: [PHP] File Upload Security and chmod
Hey Tedd and Eric, Between the two of you and Richard Lynch's last post, I understand why I can use chmod() and mkdir() within php without having to use the ftp commands: I run on a server that is configured to run my php scripts as "username" (ie. me!) instead of as "nobody" (which is much more common). So my php scripts have powers which they probably shouldn't have. So, Tedd, you don't have to go back to the manual it looks like you are exactly right, I'm just on a goofy server which is the exception to the rule (for better or for worse). I really appreciate you guys jumping in a giving me a hand. Hopefully I get good enough at this that I can return the favor sometime!!! Andy On 9/25/06, Eric Butera <[EMAIL PROTECTED]> wrote: On 9/25/06, Andy Hultgren <[EMAIL PROTECTED]> wrote: > > Tedd, > > Thanks so much your thorough response - it's good to know that I'm not > the > only one trying to figure this out! I'm curious, in your code you use > the > PHP ftp functions, but I have used the PHP functions chmod() and mkdir() > > without establishing an ftp connection. Is it faster to establish an > ftp > connection within PHP and then use the ftp series of functions to > accomplish > all of the directory creation and permissions changes? If so, then I > will > probably change my code to follow yours. > > Andy By using FTP you can specify which user account you want the connection to be established at. When running a PHP script the script will be running by the Apache server, which means it will have specific permission levels which cannot create directories or chmod unless Apache owns the parent directory. That is why Tedd went through all that trouble.
Re: [PHP] File Upload Security and chmod
Well, that didn't sound too good... So I tried to implement the example code given in the php tmpfile() documentation and it wouldn't do anything, which suggests that I don't have access to the /tmp directory. Also, the FAQ's section on my server's website say that /tmp is not shared between the servers. So, looks like /tmp option is out... So, let me see if I understand the situation I'm looking at here: The bad side: -- I don't have any place to put uploaded files outside of my webtree, which makes it tough to ensure these files cannot be surfed to once they are uploaded, and also means I have to do my security checks while the files are within my webtree and potentially accessible. (BAD). -- Any php script on my server (created by me or somehow maliciously uploaded) can do whatever it wants within my account because all php scripts run as me. (also BAD). The good side: -- Uploaded files can be chmod so that nobody can read them, then I chmod them when I need to use them. This adds a layer of protection for completely uploaded files. I assume this will not help with files while they are getting their security checks, since PHP has to be able to read and execute them in order to run the checks (get_image_size, etc.)? -- Since I'm only allowing image uploads, I can strictly filter which files are allowed to be uploaded (with extension checks and get_image_size). (Plus all the stuff talked about in the PHP Security Guide provided by the PHP Security Consortium for html POSTs, MySQL stuff, cookies, etc. Well, all of it that I can implement without having access to a directory outside of my webtree anyway). So, given this situation (if I've got it right), I have two questions: 1) With the above "as is", am I just asking for anyone to come in and tear my site apart? I am not an experienced web developer (obviously), but I love to read. Is that enough to build a secure site, or am I just way in over my head? 2) Imaging that I can convince my host to rebuild my site so that I have access to directories outside of my webtree and can check and save uploaded files there, does that make the situation substantially better? Or is the "PHP running as me" thing enough alone to raise some serious serious problems (perhaps less around the image uploading but more around a login page or something)? As always, thank you so much for your help. Andy On 9/25/06, Richard Lynch <[EMAIL PROTECTED]> wrote: On Sun, September 24, 2006 11:04 pm, Andy Hultgren wrote: > I really appreciate your help with this. > > To answer your first question: when people surf to my site they see > the > stuff "next to" (outside) .public_html/, not anything within > .public_html/. > (Thanks by the way for explaining the .dirName invisibility thing, > that's > one confusing thing not to worry about anymore!) Hmmm. Okay, so you definitely do not have any space outside the webtree. That's bad. Anything you upload is stuck being available to the public, to some degree. :-( You *may* be able to utilize /tmp See if you can write a short little script with http://php.net/tmpfile This will give you and idea if you can stash things in /tmp, at least until you can confirm that they are not Evil. > To answer your second question: the "uploadedFiles/" directory is > 0100, but > not the file. The uploaded file itself is 0640. So your login is allowed to read files within the directory, but not to list what's in the directory. Your login and your group can read the file itself. Your login can write the file as well. See next question/answer. > Third question: it runs as the same username I use to login to my > server's > ftp site. This information wasn't in the output of the phpinfo() > function > (that I could find). I did some searching on php.net and found this > entry > under the get_current_user() function ( > http://us3.php.net/manual/en/function.get-current-user.php, top user > contributed note): > ** > *to get the username of the process owner (rather than the file > owner), you > can use: > ** $processUser = posix_getpwuid(posix_geteuid**()); > print $processUser['name'**]; > ?> * > ** > I used this code to find out the user PHP runs as. Is that what you > were > looking for? Yes. And since PHP runs as "you" with your login, it can do everything listed above. So you probably cannot surf to the DIRECTORY and get a listing (even if DirectoryIndex is on) but if you know the name of the file in advance, you can surf to it. So if you want to make a file not readable, you have to chmod it so that *YOU* cannot read it. This will be a PITA because then you'll need to chmod it back any time you want to mess with it. As the owner of a file, you are allowed to chmod it so that you yo
Re: [PHP] File Upload Security and chmod
Tedd, Thanks so much your thorough response - it's good to know that I'm not the only one trying to figure this out! I'm curious, in your code you use the PHP ftp functions, but I have used the PHP functions chmod() and mkdir() without establishing an ftp connection. Is it faster to establish an ftp connection within PHP and then use the ftp series of functions to accomplish all of the directory creation and permissions changes? If so, then I will probably change my code to follow yours. Andy On 9/25/06, tedd <[EMAIL PROTECTED]> wrote: At 9:32 PM -0600 9/24/06, Andy Hultgren wrote: >Hi Tedd, > >Yes, when I browse to www.myDomain.com I get the index.html file, and so I >have been leaving the .public_html/ directory alone since it is not my >root. I'm curious, what you described is exactly what I'm trying to do - >what permissions do you set the parent folder at when you are finished >uploading/saving/downloading/etc.? I have my "uploaded_images/" >directory set at chmod 0100 and I can still browse to an uploaded image from >my file upload page... Thanks for your response, Andy: I ran into the same problem trying to work with, and understand, permissions on a virtual host. When I asked this gang about permissions some time back, I received answers that ranged from RTFM to calling me stupid for using 0777, but none answered my question. No fault of the gang, I probably didn't ask the question correctly. In any event, I felt too stupid to ask the question again, so I went elsewhere looking for answers and eventually found something that works for me. Some consider me a novice, so I'll ask the gang to overview my comments to make sure that I'm not guiding you down the wrong path. As you know, the key to setting the permissions of a file depends upon the permissions the parent folder. If the parent folder permission is set to 0777, then we can change any files inside the folder as we want. However, that also presents a major security hole because then anyone can use that folder to upload and run evil code. So, the key problem is how to alter parent folder permissions. With virtual hosting, we can upload, manage, and set permissions as we want via our FTP connection software. So, I thought perhaps php had something like that and as such I discovered how to ftp connect via php. Now, not all php ftp_ are available to php 4, but you can connect to your site and change permissions of folders, which is what we actually need. So, if you want to do something with a file: then change the folder permissions of the folder that holds it; do whatever you want with the file; and then change the folder permissions back to something safe. You can also create new folders if you want using the command ftp_mkdir(). Note, the beginning of the ftp_paths are different than url paths we would normally use to locate a file. For example: An example web path: http://www.yourdomain.com/rw/tmp/text.txt An example symbolic link: public_html/rw/tmp/text.txt The following code will show you an example of how this works. Just put in your own domain, user id, password, and correct paths and try it out. Change the permissions in the code and watch how the file permissions change. Please let me know if this works for you -- watch for line breaks. hth's tedd PS: I don't know what to say about your ".public_html/" directory, but I would just leave it alone. --- // how to call the function // the function "); return false; exit(); } else { echo("Made connection"); ftp_chdir($connection, $path); // go to destination dir echo("Change permission"); $str="CHMOD 0755 " . $theDir; // change permissions for dir (note the space after 0775 ) ftp_site($connection, $str); echo("$str"); $filename = "$theDir/$theFile"; $contents = "This is the contents of the file."; echo("Writing file "); $file = fopen( $filename, "w" ); fwrite( $file, $contents); fclose( $file ); chmod($filename,0755); echo("Change permission"); $str="CHMOD 0600 " . $theDir; // change permissions back for dir ftp_site($connection, $str); echo("$str"); echo("Close connection"); ftp_close($connection); // close connection } } ?> -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
Hi Tedd, Yes, when I browse to www.myDomain.com I get the index.html file, and so I have been leaving the .public_html/ directory alone since it is not my root. I'm curious, what you described is exactly what I'm trying to do - what permissions do you set the parent folder at when you are finished uploading/saving/downloading/etc.? I have my "uploaded_images/" directory set at chmod 0100 and I can still browse to an uploaded image from my file upload page... Thanks for your response, Andy On 9/23/06, tedd <[EMAIL PROTECTED]> wrote: At 7:19 PM -0600 9/22/06, Andy Hultgren wrote: >For whatever reason when I ftp in using WinFtp I don't see public_html >(it's hidden, don't know why; if I make a directory called >".public_html" it gets created and then disappears), but I can see my >file structure from my host's website and so I know that when I ftp in >to myDomain.com this is what is "there": > >index.htm >page1.htm >page2.htm >.public_html/ >images/ >etc. etc. Andy: Sorry, I didn't catch all of the thread, but this is my drift. When you access your site (http://yourdomain.com) via a browser, do you see the above index.htm? If so, and you want to stay with that host, then leave the .public_html/ folder alone, and build your site using WinFTP, or whatever. If you want to change permissions for a file from within a php script, then ftp into your site (using ftp_login), change the parent folder permissions, do your file thing (upload, delete, save, etc.), and then change the parent folder permissions back and it's done. At least that's the way I do it working on a shared host and it works for me. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com
Re: [PHP] File Upload Security and chmod
For whatever reason when I ftp in using WinFtp I don't see public_html (it's hidden, don't know why; if I make a directory called ".public_html" it gets created and then disappears), but I can see my file structure from my host's website and so I know that when I ftp in to myDomain.com this is what is "there": index.htm page1.htm page2.htm .public_html/ images/ etc. etc. Currently nothing is stored in my .public_html directory since it is not my root (and my website loads just fine when browsed to). I don't ftp in from DreamWeaver and it isn't an issue of going straight to public_html just to skip the cd step. public_html just isn't set up as my root directory and I have no directories accessable that are higher than my root. So, since I have no access to directories outside of my root, do you really think I should change that before allowing file uploads? (either by changing servers or just bugging my server adminstrator until he changes it). I currently check extension type and then image type using get_image_size(); and also files with image extensions are not executable on the server. However, from what I've read I understand that those steps are the minimum in terms of file upload security. Also, I'd be curious still to hear why I can browse to a file in a directory that has been set with chmod 0100. I really didn't expect that. Thanks again very much for your thoughts, Andy On 9/22/06, Richard Lynch <[EMAIL PROTECTED]> wrote: I may have hit "send" too soon... Like, when you do FTP, do you see: index.htm page2.htm page3.htm right away? *OR*, do you see: public_html And then you do "cd public_html" and THEN you see the files? If you don't do "cd public_html" then I really don't think accepting file uploads is a Good Idea, unless you have access to /tmp or something to put the files in... If you do "cd public_html" then you actually HAVE space outside your webtree. Just do "mkdir uploads" and "chmod 777 uploads" *BEFORE* you do "cd public_html" and you'll have an uploads dir outside the webtree where you can put stuff. NOTE: Some fancy FTP tools like DreamWeaver and whatnot will convince you to put "public_html" into some input box somewhere, to give you the convenience of not needing to "cd public_html" -- which then means you never *SEE* that you have space outside your webtree... Stop doing that. An extra click or whatever to get into public_html is not that big of a deal. On Fri, September 22, 2006 7:21 pm, Andy Hultgren wrote: > So pretty much there's nothing to be done about it? If I can get the > chmod thing to make it so that you can't surf to your uploaded image > afterwards and view it, I'd be happy with that solution. I'd like to > stick with this host if I could. > > On 9/22/06, Richard Lynch <[EMAIL PROTECTED]> wrote: >> On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote: >> > that as my root directory is simply www.myDomain.com and not >> > ".public_html/" and I am on a shared server where my root cannot >> be >> >> I got two words for you: >> >> Change Hosts >> >> -- >> Like Music? >> http://l-i-e.com/artists.htm >> >> >> > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
So pretty much there's nothing to be done about it? If I can get the chmod thing to make it so that you can't surf to your uploaded image afterwards and view it, I'd be happy with that solution. I'd like to stick with this host if I could. On 9/22/06, Richard Lynch <[EMAIL PROTECTED]> wrote: On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote: > that as my root directory is simply www.myDomain.com and not > ".public_html/" and I am on a shared server where my root cannot be I got two words for you: Change Hosts -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] File Upload Security and chmod
Hi, I am relatively new to php and am trying to set up a file upload process for my website. I have read through the php security documentation and a number of the security-related questions on these lists and am attempting to implement as many of the measures as possible. One of the suggestions I have read is to have the uploaded files saved somewhere outside of your root directory. Unfortunately I cannot do that as my root directory is simply www.myDomain.com and not ".public_html/" and I am on a shared server where my root cannot be changed (I have already asked). So, I am trying to keep the permissions on my "saved_files" folder as tight as possible except when the actual upload occurs. I this as follows: 1) The actual file upload comes through Flash8, and when the user uploads a file it is sent to www.domain.com/flash8directory/upload.php, which is in the same directory as the Flash8 upload application. 2) upload.php first chmod 0740 the "saved_files" folder (which is located at www.domain.com/flash8directory/saved_files/). Then it does security checks to make sure an appropriate image has been uploaded, and if everything looks good it moves the uploaded file to "saved_files". 3) The Flash8 upload application is notified of the completion of the upload and downloads the new image it its viewer. 4) Once the download is complete and Flash8 no longer needs to work with the file, the Flash8 application notifies a separate php script by sending the variable "complete=1" to lockdown.php (located at www.domain.com/flash8directory/lockdown.php), which runs the following simple script: This script works and "saved_files" is set to chmod 0100, but here is the problem. If I then navigate directly to the url of the uploaded file by entering its path in my browser(www.domain.com/flash8directory/saved_files/uploadedFile.jpg), the uploaded file appears in my browser! However, if I then refresh the browser I get the desired error message saying I do not have permission to access that file. Also, other browser windows never have access to view the uploaded file, only the browser from which the file was uploaded. Any thoughts on why I can view the uploaded file even though it has been set to chmod 0100? I'd really rather not have those files accessible to anyone, as an extra security layer. Thank you for your help! Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php