Re: [PHP] File Upload MultiPart
On Sun, Feb 24, 2013 at 1:07 PM, user@domain.invalid wrote: Hello, I have been looking how to upload big files more than 1GB , with php but it doesn't work well. I guess php POST multipart method is to memory consuming. Is there a way , like in the apache.commons to catch the stream and handle it ? I've looked at the rfc1867.c file implementation and it seems that this is where the memory goes really up. Is there a way we could change this ? Kind Regards Wim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Although loathe to respond to someone listed as user@domain.local... Maybe look at http://stackoverflow.com/questions/10961538/uploading-very-large-files-5gb-to-15gb -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Problem
On Wed, Apr 6, 2011 at 1:10 PM, tedd t...@sperling.com wrote: Hi gang: I wrote a simple script to upload image files from my desktop to a server -- the exact same code works on two servers, but fails on a third. I suspect there is something set different between the servers, but I can't find it. Oddly enough, I can upload image files directly to the database, but not to the file system. What could be wrong? What should I be looking for? Cheers, tedd -- --- http://sperling.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php check out the max post size -- Bastien Cat, the other other white meat -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Problem
On Wed, Apr 6, 2011 at 13:10, tedd t...@sperling.com wrote: Hi gang: I wrote a simple script to upload image files from my desktop to a server -- the exact same code works on two servers, but fails on a third. I suspect there is something set different between the servers, but I can't find it. Oddly enough, I can upload image files directly to the database, but not to the file system. What could be wrong? What should I be looking for? Are file uploads enabled and is the size of the file less than the upload size limitation? Is the disk or partition to which the temporary files are being uploaded out of space, whereas the database - perhaps on a different physical disk or partition - still has sufficient free space? Are you sure the user as which the web server (presumably Apache) runs has permission to write to the temporary and target directory? Is the account near or at its disk quota? -- /Daniel P. Brown Network Infrastructure Manager http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload utility ?
On Mon, Feb 7, 2011 at 10:56, Frank Bonnet f.bon...@esiee.fr wrote: Hello I'm searching for a utility that let our users upload a file on a server , then generate a temporary link that point to the real file. As this is for internal use we don't need security, the file can be read by anyone. The goal is to distribute the file to our users by sending them an email containing the address of the http temporary link instead of sending it as an email attachement X 1000 ... Sounds great. Good luck in your Google search. -- /Daniel P. Brown Network Infrastructure Manager Documentation, Webmaster Teams http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload utility ?
On 02/07/2011 05:01 PM, Daniel Brown wrote: On Mon, Feb 7, 2011 at 10:56, Frank Bonnetf.bon...@esiee.fr wrote: Hello I'm searching for a utility that let our users upload a file on a server , then generate a temporary link that point to the real file. As this is for internal use we don't need security, the file can be read by anyone. The goal is to distribute the file to our users by sending them an email containing the address of the http temporary link instead of sending it as an email attachement X 1000 ... Sounds great. Good luck in your Google search. I found nothing that's why I wrote this !!! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload utility ?
Frank Bonnet f.bon...@esiee.fr wrote: On 02/07/2011 05:01 PM, Daniel Brown wrote: On Mon, Feb 7, 2011 at 10:56, Frank Bonnetf.bon...@esiee.fr wrote: Hello I'm searching for a utility that let our users upload a file on a server , then generate a temporary link that point to the real file. As this is for internal use we don't need security, the file can be read by anyone. The goal is to distribute the file to our users by sending them an email containing the address of the http temporary link instead of sending it as an email attachement X 1000 ... Sounds great. Good luck in your Google search. I found nothing that's why I wrote this !!! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Try googling for the following bits: File upload form move_uploaded_file() file_get_contents() That will get you going, then if you have written a script and get stuck then you can ask us on specifics here. We don't write whole code for you. Thanks Ash http://www.ashleysheridan.co.uk -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload utility ?
On 2/7/2011 8:03 AM, Frank Bonnet wrote: On 02/07/2011 05:01 PM, Daniel Brown wrote: On Mon, Feb 7, 2011 at 10:56, Frank Bonnetf.bon...@esiee.fr wrote: Hello I'm searching for a utility that let our users upload a file on a server , then generate a temporary link that point to the real file. As this is for internal use we don't need security, the file can be read by anyone. The goal is to distribute the file to our users by sending them an email containing the address of the http temporary link instead of sending it as an email attachement X 1000 ... Sounds great. Good luck in your Google search. I found nothing that's why I wrote this !!! Frank, Not sure what words you used, here was mine php file upload examples Those words resulted in these two at the top of the list http://www.tizag.com/phpT/fileupload.php http://www.w3schools.com/PHP/php_file_upload.asp I briefly read each of them and they are sufficient for what you are trying to do. All you have to do is tie in the email portion and that's that. So, again, to google, I typed these wonderful words of wisdom. php email example The first result was this http://www.w3schools.com/PHP/php_mail.asp This will get you a very simple email script working. Personally, I would not do it this way, but since you mention that this will be all internal, it will probably do just fine. If you want a little more control over the email or plan to use this to send email to outside recipients, I would recommend doing it differently. phpmailer Download that package, then follow its tutorials on how to set it up and send emails. phpmailer examples The first result is this http://phpmailer.worxware.com/index.php?pg=examples It has a variety of examples that should cover almost any scenario you can possibly think of. Just one thing, do not try and be a cut/paste god here. Actually take time to read the examples and understand what they do before you put them into production. This will now end my How to use Google segment for the day. Jim Lucas -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload utility ?
On Mon, Feb 7, 2011 at 11:03, Frank Bonnet f.bon...@esiee.fr wrote: I found nothing that's why I wrote this !!! My point is, you only told everyone what you're trying to do. Not once did you ask a question or mention where you're seeking guidance, other than your ambivalence on file uploads and distribution. The ambiguous nature of your expression makes it even more difficult: you want a utility, not help in authoring it in PHP. This is a PHP programming mailing list for peer-to-peer support by members of the community, not a tell me the name of software I can download to do this job group. -- /Daniel P. Brown Network Infrastructure Manager Documentation, Webmaster Teams http://www.php.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File-Upload per Drag-N-Drop?
On Wed, Dec 29, 2010 at 07:23:25PM +0100, Michelle Konzack wrote: Hello, my users have an Online-File-Store with nearly anything they need but one feature is missing: Drag-D-Drop. I like to implement Drag-D-Drop so users can Drag a file from a File- Manager and Drop it on the Upload-Icon in my Webinterface. Can someone tell me HOW THIS WORKS? This is a client-side question. Javascript can handle drag-n-drop; WordPress does this in its site administration screens. However, it does not do it from a file manager window. In any case, this is a client side, not a PHP question. Paul -- Paul M. Foster http://noferblatz.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File-Upload per Drag-N-Drop?
On Wed, Dec 29, 2010 at 13:23, Michelle Konzack linux4miche...@tamay-dogan.net wrote: Hello, my users have an Online-File-Store with nearly anything they need but one feature is missing: Drag-D-Drop. I like to implement Drag-D-Drop so users can Drag a file from a File- Manager and Drop it on the Upload-Icon in my Webinterface. Can someone tell me HOW THIS WORKS? That's more of a frontend question to which you and your six-million-line signature should check Google to find the answer. Don't get me wrong, Michelle, we've always tried to help out even with off-topic questions, but this is really pushing it a bit too far with all of the non-PHP questions you've been asking lately. -- /Daniel P. Brown Dedicated Servers, Cloud and Cloud Hybrid Solutions, VPS, Hosting (866-) 725-4321 http://www.parasane.net/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] File-Upload per Drag-N-Drop?
-Original Message- From: Michelle Konzack [mailto:linux4miche...@tamay-dogan.net] Sent: Wednesday, December 29, 2010 10:23 AM To: PHP - General Subject: [PHP] File-Upload per Drag-N-Drop? Hello, my users have an Online-File-Store with nearly anything they need but one feature is missing: Drag-D-Drop. I like to implement Drag-D-Drop so users can Drag a file from a File- Manager and Drop it on the Upload-Icon in my Webinterface. Can someone tell me HOW THIS WORKS? This sounds like RIA = Rich Internet Application. Try google'ing for it. YMMV depends on platform technology supported. Regards, Tommy Thanks, Greetings and nice Day/Evening Michelle Konzack -- # Debian GNU/Linux Consultant ## Development of Intranet and Embedded Systems with Debian GNU/Linux itsyst...@tdnet France EURL itsyst...@tdnet UG (limited liability) Owner Michelle KonzackOwner Michelle Konzack Apt. 917 (homeoffice) 50, rue de Soultz Kinzigstraße 17 67100 Strasbourg/France 77694 Kehl/Germany Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil Tel: +33-9-52705884 fix http://www.itsystems.tamay-dogan.net/ http://www.flexray4linux.org/ http://www.debian.tamay-dogan.net/ http://www.can4linux.org/ Jabber linux4miche...@jabber.ccc.de Linux-User #280138 with the Linux Counter, http://counter.li.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File-Upload per Drag-N-Drop?
On Wed, Dec 29, 2010 at 10:30 AM, Daniel P. Brown daniel.br...@parasane.net wrote: That's more of a frontend question to which you and your six-million-line signature should check Google to find the answer. Don't get me wrong, Michelle, we've always tried to help out even with off-topic questions, but this is really pushing it a bit too far with all of the non-PHP questions you've been asking lately. a) +1 - this isn't php-general anymore this feels like michelle-development-requests (with a horribly long signature) - but I don't mean to be harsh. b) HTML5 should be what you want, at some point very soon. Silverlight isn't fully cross platform Java is your most universal applet language fFash has odd issues, but would be second best but HTML5, that's going to address it all. Google for plupload it has all the different upload applet types and tries to determine which one will be best for you. has the client side and server side pieces included. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File-Upload per Drag-N-Drop?
On a slight tangent, but is that signature why I'm not able to read any of michelles emails on my phone? For some reason, only her emails get stuck and won't download, so I have to wait til someone else replies. To answer the question on this, I've not yet seen a cross platform answer to this question; only several different platform dependent solutions from one vendor to handle each main OS. Thanks, Ash http://www.ashleysheridan.co.uk - Reply message - From: Michael Shadle mike...@gmail.com Date: Wed, Dec 29, 2010 21:38 Subject: [PHP] File-Upload per Drag-N-Drop? To: Michelle Konzack linux4miche...@tamay-dogan.net Cc: PHP - General php-general@lists.php.net On Wed, Dec 29, 2010 at 10:30 AM, Daniel P. Brown daniel.br...@parasane.net wrote: That's more of a frontend question to which you and your six-million-line signature should check Google to find the answer. Don't get me wrong, Michelle, we've always tried to help out even with off-topic questions, but this is really pushing it a bit too far with all of the non-PHP questions you've been asking lately. a) +1 - this isn't php-general anymore this feels like michelle-development-requests (with a horribly long signature) - but I don't mean to be harsh. b) HTML5 should be what you want, at some point very soon. Silverlight isn't fully cross platform Java is your most universal applet language fFash has odd issues, but would be second best but HTML5, that's going to address it all. Google for plupload it has all the different upload applet types and tries to determine which one will be best for you. has the client side and server side pieces included. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload
Ali Reza Sajedi wrote on 30/01/2010 12:27: UPLOAD_ERR_NO_TMP_DIR Value: 6; Missing a temporary folder. Introduced in PHP 4.3.10 and PHP 5.0.3. Has anyone encountered such a problem or has a clue as to what the cause could be? What does print phpinfo(); tell you about the upload_tmp_dir? -- Kind regards Kim Emax - masterminds.dk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload
On Sat, Jan 30, 2010 at 7:27 PM, Ali Reza Sajedi arsaj...@khanehjou.comwrote: Hello, When uploading a file the variable $_FILES['userfile']['tmp_name'] is not set and when debugging I get the following error although /tmp folder exists and the permissions are set to 777: $_FILES['userfile']['error'] = 6 which says UPLOAD_ERR_NO_TMP_DIR Value: 6; Missing a temporary folder. Introduced in PHP 4.3.10 and PHP 5.0.3. Has anyone encountered such a problem or has a clue as to what the cause could be? It might be the upload_tmp_dir no pointing to the right dir ! What is the current of it ? Regards, Eric, Thank you. Kind regards Ali -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload
Thank you for your replys. In php.ini upload_tmp_dir is not set, so that the system should use its default tmp folder. It used to work properly. But, after a system update from centos5.3 to centos5.4 this malfunction is now observed. Any idea? Kind regards Ali - Original Message - From: Eric Lee To: Ali Reza Sajedi Cc: phpList list Sent: Saturday, January 30, 2010 1:21 PM Subject: Re: [PHP] File Upload On Sat, Jan 30, 2010 at 7:27 PM, Ali Reza Sajedi arsaj...@khanehjou.com wrote: Hello, When uploading a file the variable $_FILES['userfile']['tmp_name'] is not set and when debugging I get the following error although /tmp folder exists and the permissions are set to 777: $_FILES['userfile']['error'] = 6 which says UPLOAD_ERR_NO_TMP_DIR Value: 6; Missing a temporary folder. Introduced in PHP 4.3.10 and PHP 5.0.3. Has anyone encountered such a problem or has a clue as to what the cause could be? It might be the upload_tmp_dir no pointing to the right dir ! What is the current of it ? Regards, Eric, Thank you. Kind regards Ali -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload
On Sat, 2010-01-30 at 14:40 +0100, Ali Reza Sajedi wrote: Thank you for your replys. In php.ini upload_tmp_dir is not set, so that the system should use its default tmp folder. It used to work properly. But, after a system update from centos5.3 to centos5.4 this malfunction is now observed. Any idea? Kind regards Ali - Original Message - From: Eric Lee To: Ali Reza Sajedi Cc: phpList list Sent: Saturday, January 30, 2010 1:21 PM Subject: Re: [PHP] File Upload On Sat, Jan 30, 2010 at 7:27 PM, Ali Reza Sajedi arsaj...@khanehjou.com wrote: Hello, When uploading a file the variable $_FILES['userfile']['tmp_name'] is not set and when debugging I get the following error although /tmp folder exists and the permissions are set to 777: $_FILES['userfile']['error'] = 6 which says UPLOAD_ERR_NO_TMP_DIR Value: 6; Missing a temporary folder. Introduced in PHP 4.3.10 and PHP 5.0.3. Has anyone encountered such a problem or has a clue as to what the cause could be? It might be the upload_tmp_dir no pointing to the right dir ! What is the current of it ? Regards, Eric, Thank you. Kind regards Ali -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php The upgrade just changed the setting. If you set this in your php.ini, it should work again. Thanks, Ash http://www.ashleysheridan.co.uk
Re: [PHP] File upload directive: $_FILES['filename']['name'] instead of $_FILES['filename']['tmp_name']
2009/12/23 Andrei Iarus poni1...@yahoo.com
Found the problem: I use Zend Framework, and after using a procedre, it is
automatically moved. :( Thanks very much, I thought it was a problem with
PHP, but from now on, it is a Zend Framework problem. Thanks again.
--- On Wed, 12/23/09, Richard Quadling rquadl...@googlemail.com wrote:
From: Richard Quadling rquadl...@googlemail.com
Subject: Re: [PHP] File upload directive: $_FILES['filename']['name'] instead
of $_FILES['filename']['tmp_name']
To: Andrei Iarus poni1...@yahoo.com, PHP General list
php-general@lists.php.net
Date: Wednesday, December 23, 2009, 7:52 PM
2009/12/23 Andrei Iarus poni1...@yahoo.com:
Of course: also tried the is_uploaded_file, exactly like in the manual. And
it fails :(
--- On Wed, 12/23/09, Richard Quadling rquadl...@googlemail.com wrote:
From: Richard Quadling rquadl...@googlemail.com
Subject: Re: [PHP] File upload directive: $_FILES['filename']['name']
instead of $_FILES['filename']['tmp_name']
To: Andrei Iarus poni1...@yahoo.com
Cc: php-general@lists.php.net
Date: Wednesday, December 23, 2009, 6:10 PM
2009/12/22 Andrei Iarus poni1...@yahoo.com:
Hello,
On my production testing servers (production runs on a centrino and
testing runs on Windows) I can only access the temporary uploaded file
using
ini_get( 'upload_tmp_dir' . '/' . $_FILES['filename']['name'];
while the file $_FILES['filename']['tmp_name'] simply does not exist
(checked with file_exists() function, and also looking in the temporary
folder).
Is there a problem with my PHP installations? Is there any directive to
change this bihaviour?
On production: PHP 5.2.10 and on testing: PHP 5.2.8 and 5.3.0
Thanks in advance.
2 functions to get to grips with:
1 - is_uploaded_file()
2 - move_uploaded_file()
Example from http://php.net/is_uploaded_file
?php
if (is_uploaded_file($_FILES['userfile']['tmp_name'])) {
echo File . $_FILES['userfile']['name'] . uploaded successfully.\n;
echo Displaying contents\n;
readfile($_FILES['userfile']['tmp_name']);
} else {
echo Possible file upload attack: ;
echo filename '. $_FILES['userfile']['tmp_name'] . '.;
}
?
--
-
Richard Quadling
Standing on the shoulders of some very clever giants!
EE : http://www.experts-exchange.com/M_248814.html
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498r=213474731
ZOPA : http://uk.zopa.com/member/RQuadling
What version of Windows?
Can you provide a really basic test?
And a var_dump($_FILES) please?
--
-
Richard Quadling
Standing on the shoulders of some very clever giants!
EE : http://www.experts-exchange.com/M_248814.html
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498r=213474731
ZOPA : http://uk.zopa.com/member/RQuadling
Glad you got it worked out.
--
-
Richard Quadling
Standing on the shoulders of some very clever giants!
EE : http://www.experts-exchange.com/M_248814.html
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498r=213474731
ZOPA : http://uk.zopa.com/member/RQuadling
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File upload directive: $_FILES['filename']['name'] instead of $_FILES['filename']['tmp_name']
2009/12/22 Andrei Iarus poni1...@yahoo.com:
Hello,
On my production testing servers (production runs on a centrino and testing
runs on Windows) I can only access the temporary uploaded file using
ini_get( 'upload_tmp_dir' . '/' . $_FILES['filename']['name'];
while the file $_FILES['filename']['tmp_name'] simply does not exist (checked
with file_exists() function, and also looking in the temporary folder).
Is there a problem with my PHP installations? Is there any directive to
change this bihaviour?
On production: PHP 5.2.10 and on testing: PHP 5.2.8 and 5.3.0
Thanks in advance.
2 functions to get to grips with:
1 - is_uploaded_file()
2 - move_uploaded_file()
Example from http://php.net/is_uploaded_file
?php
if (is_uploaded_file($_FILES['userfile']['tmp_name'])) {
echo File . $_FILES['userfile']['name'] . uploaded successfully.\n;
echo Displaying contents\n;
readfile($_FILES['userfile']['tmp_name']);
} else {
echo Possible file upload attack: ;
echo filename '. $_FILES['userfile']['tmp_name'] . '.;
}
?
--
-
Richard Quadling
Standing on the shoulders of some very clever giants!
EE : http://www.experts-exchange.com/M_248814.html
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498r=213474731
ZOPA : http://uk.zopa.com/member/RQuadling
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File upload directive: $_FILES['filename']['name'] instead of $_FILES['filename']['tmp_name']
2009/12/23 Andrei Iarus poni1...@yahoo.com:
Of course: also tried the is_uploaded_file, exactly like in the manual. And
it fails :(
--- On Wed, 12/23/09, Richard Quadling rquadl...@googlemail.com wrote:
From: Richard Quadling rquadl...@googlemail.com
Subject: Re: [PHP] File upload directive: $_FILES['filename']['name']
instead of $_FILES['filename']['tmp_name']
To: Andrei Iarus poni1...@yahoo.com
Cc: php-general@lists.php.net
Date: Wednesday, December 23, 2009, 6:10 PM
2009/12/22 Andrei Iarus poni1...@yahoo.com:
Hello,
On my production testing servers (production runs on a centrino and
testing runs on Windows) I can only access the temporary uploaded file using
ini_get( 'upload_tmp_dir' . '/' . $_FILES['filename']['name'];
while the file $_FILES['filename']['tmp_name'] simply does not exist
(checked with file_exists() function, and also looking in the temporary
folder).
Is there a problem with my PHP installations? Is there any directive to
change this bihaviour?
On production: PHP 5.2.10 and on testing: PHP 5.2.8 and 5.3.0
Thanks in advance.
2 functions to get to grips with:
1 - is_uploaded_file()
2 - move_uploaded_file()
Example from http://php.net/is_uploaded_file
?php
if (is_uploaded_file($_FILES['userfile']['tmp_name'])) {
echo File . $_FILES['userfile']['name'] . uploaded successfully.\n;
echo Displaying contents\n;
readfile($_FILES['userfile']['tmp_name']);
} else {
echo Possible file upload attack: ;
echo filename '. $_FILES['userfile']['tmp_name'] . '.;
}
?
--
-
Richard Quadling
Standing on the shoulders of some very clever giants!
EE : http://www.experts-exchange.com/M_248814.html
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498r=213474731
ZOPA : http://uk.zopa.com/member/RQuadling
What version of Windows?
Can you provide a really basic test?
And a var_dump($_FILES) please?
--
-
Richard Quadling
Standing on the shoulders of some very clever giants!
EE : http://www.experts-exchange.com/M_248814.html
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498r=213474731
ZOPA : http://uk.zopa.com/member/RQuadling
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload question
On Aug 3, 2009, at 7:04 AM, seb sebast...@triponthis.net wrote:
Hey all,
i am using move_upload function to upload files to the server, but i
want to add a feature that will allow files to be archived that have
been uploaded already.
so, the problem is:
i upload a file that i want to upgrade and move the old file to an
archive directory but I want to verify the NEW file is upload BEFORE
moving the old file (the file being uploaded might not have the same
filename as the old file currently on the server)..
i want to move the old file only when the new file was successfully
uploaded. something like:
only one problem.. then if both files have the same name it will be
overwritten before it moves the old one i want to save. if i move
the old one first, there still the possibility of the new upload
failing so i am back to square one..
i guess i can move_upload to a different directory, verify it's been
uploaded, move the old to the archive file, then move the new file
back to where it should be (where the archive file was)..
is that my only option? any suggestions?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Do an check for the file before moving it
If(file_exists($filename)){
// copy file out to archive
}
}if(move_uploaded_file())
{
}
Bastien
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: php File upload
Problem solved (at one machine)! I can upload a ~ 2 GB File now on a machine with 1 GB Main Memory! No Problem, swap is used but no break now. The answer is, i think, the dramatical overhead for http upload, simply my post_max_size and upload_max_size are to small. If i will upload 1 GB it must minimum 1.5 GB (better more) on this limit variables. Im very glad to fix this problem, but the next one is here: Other machine (but 2 GB Ram), same suse version, same (working now) php.ini with limits to 5000M now and i can't upload a File greater than 900MB. A file under 900MB i see the tmp file growing. A File with +1 GB no temp file seeing at all and break after a view minutes. It's horrible with no error codes and wasting pure of time :-( Now i begin at bottom on this machine. Thanx for alle, who look for this problem. Now we are the very only that can say that php 100% working file uploads if memory lower than the file size :-) Tom [EMAIL PROTECTED] schrieb im Newsbeitrag news:[EMAIL PROTECTED] Hi, on a linux system (Suese 10.2) with 1 GB memory its not possible to upload via http a 1 Gb File. Thats no limit problem on my php config. i can look the mem stats when uploading and the growing tmp file. If the temp file has 900 MB, Main Memory free is 0 and the script aborts and php deletes the tmp file. Why don't php use swap memory ? Greets Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: php File upload
Tom wrote: Im very glad to fix this problem, but the next one is here: Other machine (but 2 GB Ram), same suse version, same (working now) php.ini with limits to 5000M now and i can't upload a File greater than 900MB. A file under 900MB i see the tmp file growing. A File with +1 GB no temp file seeing at all and break after a view minutes. It's horrible with no error codes and wasting pure of time :-( The maximum size of an HTTP request is 2Gb. /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: php File upload
Per Jessen wrote: Tom wrote: Im very glad to fix this problem, but the next one is here: Other machine (but 2 GB Ram), same suse version, same (working now) php.ini with limits to 5000M now and i can't upload a File greater than 900MB. A file under 900MB i see the tmp file growing. A File with +1 GB no temp file seeing at all and break after a view minutes. It's horrible with no error codes and wasting pure of time :-( The maximum size of an HTTP request is 2Gb. /Per Jessen, Zürich Also bear in mind that the file is MIME encoded (so probably actually a base-64 stream or some such) and the actual size of the data sent in the request is therefore likely to be some fraction bigger than the file itself (like 33% bigger for base-64 encoding) -- Peter Ford phone: 01580 89 Developer fax: 01580 893399 Justcroft International Ltd., Staplehurst, Kent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: php File upload
You could always program in something (perhaps in Ajax) to monitor the progress of the file upload and check for errors periodically. Luke Slater On 8 Aug 2008, at 11:55, Peter Ford [EMAIL PROTECTED] wrote: Per Jessen wrote: Tom wrote: Im very glad to fix this problem, but the next one is here: Other machine (but 2 GB Ram), same suse version, same (working now) php.ini with limits to 5000M now and i can't upload a File greater than 900MB. A file under 900MB i see the tmp file growing. A File with +1 GB no temp file seeing at all and break after a view minutes. It's horrible with no error codes and wasting pure of time :-( The maximum size of an HTTP request is 2Gb. /Per Jessen, Zürich Also bear in mind that the file is MIME encoded (so probably actually a base-64 stream or some such) and the actual size of the data sent in the request is therefore likely to be some fraction bigger than the file itself (like 33% bigger for base-64 encoding) -- Peter Ford phone: 01580 89 Developer fax: 01580 893399 Justcroft International Ltd., Staplehurst, Kent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: php File upload
What is set this limit? Per Jessen [EMAIL PROTECTED] schrieb im Newsbeitrag news:[EMAIL PROTECTED] Tom wrote: Im very glad to fix this problem, but the next one is here: Other machine (but 2 GB Ram), same suse version, same (working now) php.ini with limits to 5000M now and i can't upload a File greater than 900MB. A file under 900MB i see the tmp file growing. A File with +1 GB no temp file seeing at all and break after a view minutes. It's horrible with no error codes and wasting pure of time :-( The maximum size of an HTTP request is 2Gb. /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Re: php File upload
Tom wrote: Per Jessen [EMAIL PROTECTED] schrieb im Newsbeitrag news:[EMAIL PROTECTED] Tom wrote: Im very glad to fix this problem, but the next one is here: Other machine (but 2 GB Ram), same suse version, same (working now) php.ini with limits to 5000M now and i can't upload a File greater than 900MB. A file under 900MB i see the tmp file growing. A File with +1 GB no temp file seeing at all and break after a view minutes. It's horrible with no error codes and wasting pure of time :-( The maximum size of an HTTP request is 2Gb. What is set this limit? I can't find it, but I'm pretty certain it's in RFC2616. /Per Jessen, Zürich -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security
How was it hacked? That will help determine what kind of exploit might have been used. On 4/11/08, Al [EMAIL PROTECTED] wrote: One of my sites has been hacked and I'm trying to find the hole. The hack code creates dirs with nobody ownership, so it's obvious stuff is not via ftp [ownership would be foo] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security
The hack puts this .htaccess in dozens of dirs
RewriteEngine On
RewriteCond %{HTTP_REFERER}
^http://([a-z0-9_\-]+\.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24)\.
[NC]
RewriteCond %{HTTP_REFERER}
[?](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=
RewriteCond %{HTTP_REFERER}
\=[^]+(%3A|%22)
RewriteCond %{TIME_SEC} 59
RewriteRule ^.*$ /StartLocs/maps/kapicag/ex3/t.htm [L]
#
a995d2cc661fa72452472e9554b5520c
The kapicag/ex3/t.htm appears to be phishing site.
mike wrote:
How was it hacked?
That will help determine what kind of exploit might have been used.
On 4/11/08, Al [EMAIL PROTECTED] wrote:
One of my sites has been hacked and I'm trying to find the hole. The hack
code creates dirs with nobody ownership, so it's obvious stuff is not via
ftp [ownership would be foo]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security
I would recommend something more strong
http://www.php.net/manual/en/function.exif-imagetype.php
or if you dont have exif
http://www.php.net/manual/en/function.getimagesize.php
will do also a trick.
One more thing, you are also allowing .txt and .css which may be
potential hole, as Apache can run .css also through PHP engine if
configured to do so.
Sometimes I use PHP to process CSS so I can have dynamic CSS for some
rare cases.
On Apr 12, 2008, at 2:24 AM, Al wrote:
One of my sites has been hacked and I'm trying to find the hole.
The hack code creates dirs with nobody ownership, so it's obvious
stuff is not via ftp [ownership would be foo]
Site is virtual host, Linux/Apache
I'm concerned about a file uploader my users use to upload photos.
Can anyone see a hole in this scrip? Can my code upload an
executable masquerading as an image file?
$filetype = array(gif, jpg, jpeg, png, txt, css)
function csvt_file_upload($filetype, $max_size)
{
$prohibits = array(exe, php, inc, php3, pl, bat,
cgi); //common executables.
$absolute_max_size = 200;
end($_FILES); //get the name used by the html input.
$name = key($_FILES); //could use the register variables, but
this is safer.
if(isset($_FILES[$name]['name'])) $input_name = $_FILES[$name]
['name'];
$error = no; //reset for error checks
if (!isset($filetype)) {
echo p style=\color:red\ File type assignment
missing /p ;
$error = yes;
};
if (!isset($max_size)) {
echo p style=\color:red\ Max file size assignment
missing./p;
$error = yes;
};
$filename = $_FILES[$name]['name'];
$tmp_name = $_FILES[$name]['tmp_name'];
$size = $_FILES[$name]['size'];
$absolute_path_file = getcwd(). DATA_DIR . $filename;
if (($size = $max_size) OR ($size $absolute_max_size)) {
echo p style=\color:red\ File size is too large./p ;
$error = yes;
}
$ext = substr(strrchr($filename, .), 1); //get the extension,
remove the .
if (in_array($ext, $prohibits)) {
echo p style=\color:red\Illegal file type,
executable./p\r\n;
$error = yes;
}
if (is_executable($filename)) {
echo p style=\color:red\Illegal file type, executable
file./p\r\n;
$error = yes;
} //This is a double check in case $prohibits is incomplete.
if (is_array($filetype) AND !in_array($ext, $filetype)) {
echo p style=\color:red\Illegal file type./p\r\n;
$error = yes;
}
if(!is_array($filetype) AND ($filetype != $ext)){
echo p style=\color:red\Illegal file type./p\r\n;
$error = yes;
}
if ($error == yes) {
echo p style=\color:red\There was an error(s) with
your file selection \$input_name\ as the note(s) indicates.
Please reselect, or remove your file selection and email for help.
/p\r\n;
}
else {
if(!move_uploaded_file($tmp_name, $absolute_path_file))
die(p style=\color:red\There was an error saving your file.
Check permissions of . DATA_DIR . Must be 777 /p\r\n);
chmod($absolute_path_file, 0644);
}
return;
}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Igor Jocic
http://www.carster.us/
Re: [PHP] File Upload Security
Al wrote: One of my sites has been hacked and I'm trying to find the hole. The hack code creates dirs with nobody ownership, so it's obvious stuff is not via ftp [ownership would be foo] Site is virtual host, Linux/Apache I'm concerned about a file uploader my users use to upload photos. !-- SNIP -- First off, file type means NOTHING to people using uploaders. I have had a number of people try to hack my site with my uploader and they never succeed. If you don't parse the first few lines of the file, you're probably gonna find yourself hacked again. Depending on the size of the machine, you could just read the whole file and look for php somewhere in it, and if it exists, erase immediately. image.php.gif.jpg would pass your test as far as checking extensions. I have a number of the scripts used by others to try to hack my site available for download/review. If you search the archives, you should find them. If not, contact me directly and I'll send you the link to them. HTH, Wolf -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
Sukhwinder Singh wrote: You don't appear to have read what I said. A Java applet can use FTP to upload the file - PHP does not get involved in that part. Once the upload is complete the applet can POST to your PHP file giving it information like where it's put the file and this other information you need to give it so it can rename the file. This is the only bit PHP gets involved in and it doesn't involve trying to upload 4 gig over a machanism that was never designed for it. Thanks again for replying. I have read. I have been trying to find out way for last two days. I can say about jupload and how it seems to work. It uploads file to server in a temporary directory. It has postURL parameter. Then it POSTS the data to php file. Because it POSTS, the php configuration values comes into question. Here is an example: Settings in php.ini are 50M for upload_max_fisesize and 50M for post_max_size. I used japplet and uploaded a 51.89 MB file. This is what is in error log. [08-Jun-2007 03:06:29] PHP Warning: POST Content-Length of 54414946 bytes exceeds the limit of 52428800 bytes in Unknown on line 0 [08-Jun-2007 03:06:29] PHP Notice: Undefined index: File0 in E:\projects\ice\post_test.php on line 13 File0 is the first file in $_FILES array, as POST fails I don't get that array. I uploaded a 48 MB file and it worked without any problem. Ok, I think I see where your confusion is coming from. I'm not suggesting that the applet I'm describing already exists - it would be something you'd have to write or commission someone to write for you. Every existing file upload applet I've ever come across uses HTTP POST to upload the files, but this is not what you need. It will almost certainly have to be a bespoke solution. Another way you might approach it would be to define a naming convention for uploaded files and accept them via normal FTP upload. The user then visits your website and fills in a form that will tell your PHP script where to find the file as well as giving it the other information it needs. Setting up a secure write-only FTP server is well documented on the net, but is well beyond the scope of this mailing list. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
At 4:35 PM +0100 6/7/07, Stut wrote: You need to look into maybe a java applet, or just plain FTP/SFTP/SCP for files that big. HTTP was never designed to handle uploading files of that size. For a start there is no facility to restart the upload should it get interrupted and fail. -Stut -Stut: Would the ftp commands (ftp_login, etc.) in php work for this? Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
tedd wrote: At 4:35 PM +0100 6/7/07, Stut wrote: You need to look into maybe a java applet, or just plain FTP/SFTP/SCP for files that big. HTTP was never designed to handle uploading files of that size. For a start there is no facility to restart the upload should it get interrupted and fail. -Stut -Stut: Would the ftp commands (ftp_login, etc.) in php work for this? Unfortunately not, unless every user needing to upload a file is running an FTP server. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
On Fri, 2007-06-08 at 10:53 -0400, tedd wrote: At 4:35 PM +0100 6/7/07, Stut wrote: You need to look into maybe a java applet, or just plain FTP/SFTP/SCP for files that big. HTTP was never designed to handle uploading files of that size. For a start there is no facility to restart the upload should it get interrupted and fail. -Stut -Stut: Would the ftp commands (ftp_login, etc.) in php work for this? No, those are for initiating an FTP connection from the server on which PHP is hosted. Cheers, Rob. -- .. | InterJinn Application Framework - http://www.interjinn.com | :: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
On Thu, June 7, 2007 10:52 am, Jim Moseby wrote: Rumor has it that uploaded files are stored in memory before being committed to disk. If so, the amount of free RAM available to PHP would be the limit to the filesize regardless of the ini file settings. I think you have to go pretty far back in PHP history (in 'net time) to find that to be true... Not 100% sure, mind you, but pretty sure. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
I think you have to go pretty far back in PHP history (in 'net time) to find that to be true... Not 100% sure, mind you, but pretty sure. I also think that the thing about memory limit is not true these days. I have been able to upload 3.28 gb file with memory limit specified as 128 MB. I also commened about it earlier but was referred to php manual. The manual says that yes, and I head read it myself but didn't increase the memonry and it still worked Sukhwinder Singh - Original Message - From: Richard Lynch [EMAIL PROTECTED] To: Jim Moseby [EMAIL PROTECTED] Cc: 'Sukhwinder Singh' [EMAIL PROTECTED]; php-general@lists.php.net Sent: Saturday, June 09, 2007 5:15 AM Subject: RE: [PHP] File Upload - post_max_size and upload_max_filesize in GBs On Thu, June 7, 2007 10:52 am, Jim Moseby wrote: Rumor has it that uploaded files are stored in memory before being committed to disk. If so, the amount of free RAM available to PHP would be the limit to the filesize regardless of the ini file settings. I think you have to go pretty far back in PHP history (in 'net time) to find that to be true... Not 100% sure, mind you, but pretty sure. -- Some people have a gift link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
Sukhwinder Singh wrote: I want to allow uploading of huge video files, which may be as big as 4 GB. But when I try to set post_max_size = 4G upload_max_filesize = 4G in php.ini, it doesn't work and everything in post (posted data) is ignored. I get a warning about size of posted data greater than some negative number. I read somewhere that php stores this data in integer. I have tested it on 64 bit system (php 5.1.6 installed on Mandriva 2007.0) as well as 32 bit system (php 5.2.2 installed on windows xp sp2). Value up to, I think, 2147483647 bytes or ( around 1.999.. gb) works We need to allow uploading of 4 GB files. Is there any solution. Yeah, don't use HTTP. Seriously, HTTP is a crappy mechanism for uploading files, especially large ones. And by large ones I mean ~20MB!! You need to look into maybe a java applet, or just plain FTP/SFTP/SCP for files that big. HTTP was never designed to handle uploading files of that size. For a start there is no facility to restart the upload should it get interrupted and fail. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
Thanks for your reply. So you are saying I cannot do it using php. These files have to be uploaded locally but using web interface and I have to pass some parameters along with file upload to update the database after upload is successful. Also I have to rename the file after it is uploaded. Any utility which allows this? Thanks, Sukhwinder Singh - Original Message - From: Stut [EMAIL PROTECTED] To: Sukhwinder Singh [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Thursday, June 07, 2007 8:35 PM Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs Sukhwinder Singh wrote: I want to allow uploading of huge video files, which may be as big as 4 GB. But when I try to set post_max_size = 4G upload_max_filesize = 4G in php.ini, it doesn't work and everything in post (posted data) is ignored. I get a warning about size of posted data greater than some negative number. I read somewhere that php stores this data in integer. I have tested it on 64 bit system (php 5.1.6 installed on Mandriva 2007.0) as well as 32 bit system (php 5.2.2 installed on windows xp sp2). Value up to, I think, 2147483647 bytes or ( around 1.999.. gb) works We need to allow uploading of 4 GB files. Is there any solution. Yeah, don't use HTTP. Seriously, HTTP is a crappy mechanism for uploading files, especially large ones. And by large ones I mean ~20MB!! You need to look into maybe a java applet, or just plain FTP/SFTP/SCP for files that big. HTTP was never designed to handle uploading files of that size. For a start there is no facility to restart the upload should it get interrupted and fail. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
Hello, I want to allow uploading of huge video files, which may be as big as 4 GB. But when I try to set post_max_size = 4G upload_max_filesize = 4G in php.ini, it doesn't work and everything in post (posted data) is ignored. I get a warning about size of posted data greater than some negative number. I read somewhere that php stores this data in integer. I have tested it on 64 bit system (php 5.1.6 installed on Mandriva 2007.0) as well as 32 bit system (php 5.2.2 installed on windows xp sp2). Value up to, I think, 2147483647 bytes or ( around 1.999.. gb) works We need to allow uploading of 4 GB files. Is there any solution. Regards, Sukhwinder Singh Rumor has it that uploaded files are stored in memory before being committed to disk. If so, the amount of free RAM available to PHP would be the limit to the filesize regardless of the ini file settings. You should probably use another method of transport for files that large. FTP immediately comes to mind. JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
Sukhwinder Singh wrote: Thanks for your reply. So you are saying I cannot do it using php. These files have to be uploaded locally but using web interface and I have to pass some parameters along with file upload to update the database after upload is successful. Also I have to rename the file after it is uploaded. Any utility which allows this? Sounds like you need a Java applet. I have little experience with this, but I know that quite a few exist. I have no idea if any of them support sending meta data with the upload. I suggest you start Googling. -Stut - Original Message - From: Stut [EMAIL PROTECTED] To: Sukhwinder Singh [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Thursday, June 07, 2007 8:35 PM Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs Sukhwinder Singh wrote: I want to allow uploading of huge video files, which may be as big as 4 GB. But when I try to set post_max_size = 4G upload_max_filesize = 4G in php.ini, it doesn't work and everything in post (posted data) is ignored. I get a warning about size of posted data greater than some negative number. I read somewhere that php stores this data in integer. I have tested it on 64 bit system (php 5.1.6 installed on Mandriva 2007.0) as well as 32 bit system (php 5.2.2 installed on windows xp sp2). Value up to, I think, 2147483647 bytes or ( around 1.999.. gb) works We need to allow uploading of 4 GB files. Is there any solution. Yeah, don't use HTTP. Seriously, HTTP is a crappy mechanism for uploading files, especially large ones. And by large ones I mean ~20MB!! You need to look into maybe a java applet, or just plain FTP/SFTP/SCP for files that big. HTTP was never designed to handle uploading files of that size. For a start there is no facility to restart the upload should it get interrupted and fail. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
Rumor has it that uploaded files are stored in memory before being committed to disk. If so, the amount of free RAM available to PHP would be the limit to the filesize regardless of the ini file settings. I don't think that is the case. File is written to temp directory as it is uploaded. And the qeustion is of php having negative values after I specify post size limit to 4G You should probably use another method of transport for files that large. FTP immediately comes to mind. You mean ftp client? Like cute ftp. If yes, the problem is that along with uploading the file I also have to update database to associate that file with some user etc. It needs to be web based. Sukhwinder Singh - Original Message - From: Jim Moseby [EMAIL PROTECTED] To: 'Sukhwinder Singh' [EMAIL PROTECTED]; php-general@lists.php.net Sent: Thursday, June 07, 2007 8:52 PM Subject: RE: [PHP] File Upload - post_max_size and upload_max_filesize in GBs Hello, I want to allow uploading of huge video files, which may be as big as 4 GB. But when I try to set post_max_size = 4G upload_max_filesize = 4G in php.ini, it doesn't work and everything in post (posted data) is ignored. I get a warning about size of posted data greater than some negative number. I read somewhere that php stores this data in integer. I have tested it on 64 bit system (php 5.1.6 installed on Mandriva 2007.0) as well as 32 bit system (php 5.2.2 installed on windows xp sp2). Value up to, I think, 2147483647 bytes or ( around 1.999.. gb) works We need to allow uploading of 4 GB files. Is there any solution. Regards, Sukhwinder Singh Rumor has it that uploaded files are stored in memory before being committed to disk. If so, the amount of free RAM available to PHP would be the limit to the filesize regardless of the ini file settings. You should probably use another method of transport for files that large. FTP immediately comes to mind. JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
A beeter method is to send the file via ftp. I think most browsers allow this. And for example store the file in a user specific file. Then the user, via a web interface, select the file it has uploaded and do the rest of the operations you need. Along with uploading the file I also have to pass other information to update the database to associate that file with some user etc. What kind of ftp method you are suggesting? Sukhwinder Singh - Original Message - From: jose javier parra sanchez [EMAIL PROTECTED] To: Sukhwinder Singh [EMAIL PROTECTED] Sent: Thursday, June 07, 2007 8:59 PM Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs A beeter method is to send the file via ftp. I think most browsers allow this. And for example store the file in a user specific file. Then the user, via a web interface, select the file it has uploaded and do the rest of the operations you need. 2007/6/7, Sukhwinder Singh [EMAIL PROTECTED]: Thanks for your reply. So you are saying I cannot do it using php. These files have to be uploaded locally but using web interface and I have to pass some parameters along with file upload to update the database after upload is successful. Also I have to rename the file after it is uploaded. Any utility which allows this? Thanks, Sukhwinder Singh - Original Message - From: Stut [EMAIL PROTECTED] To: Sukhwinder Singh [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Thursday, June 07, 2007 8:35 PM Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs Sukhwinder Singh wrote: I want to allow uploading of huge video files, which may be as big as 4 GB. But when I try to set post_max_size = 4G upload_max_filesize = 4G in php.ini, it doesn't work and everything in post (posted data) is ignored. I get a warning about size of posted data greater than some negative number. I read somewhere that php stores this data in integer. I have tested it on 64 bit system (php 5.1.6 installed on Mandriva 2007.0) as well as 32 bit system (php 5.2.2 installed on windows xp sp2). Value up to, I think, 2147483647 bytes or ( around 1.999.. gb) works We need to allow uploading of 4 GB files. Is there any solution. Yeah, don't use HTTP. Seriously, HTTP is a crappy mechanism for uploading files, especially large ones. And by large ones I mean ~20MB!! You need to look into maybe a java applet, or just plain FTP/SFTP/SCP for files that big. HTTP was never designed to handle uploading files of that size. For a start there is no facility to restart the upload should it get interrupted and fail. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
Sukhwinder Singh wrote: Rumor has it that uploaded files are stored in memory before being committed to disk. If so, the amount of free RAM available to PHP would be the limit to the filesize regardless of the ini file settings. I don't think that is the case. File is written to temp directory as it is uploaded. And the qeustion is of php having negative values after I specify post size limit to 4G I would hazard a guess that you're overflowing a signed 32-bit int by specifying 4gig, but I could be wrong. It's certainly not the issue. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
I would hazard a guess that you're overflowing a signed 32-bit int by specifying 4gig, but I could be wrong. It's certainly not the issue. Yes you are right. That is what is happening. Sukhwinder Singh - Original Message - From: Stut [EMAIL PROTECTED] To: Sukhwinder Singh [EMAIL PROTECTED] Cc: Jim Moseby [EMAIL PROTECTED]; php-general@lists.php.net Sent: Thursday, June 07, 2007 9:16 PM Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs Sukhwinder Singh wrote: Rumor has it that uploaded files are stored in memory before being committed to disk. If so, the amount of free RAM available to PHP would be the limit to the filesize regardless of the ini file settings. I don't think that is the case. File is written to temp directory as it is uploaded. And the qeustion is of php having negative values after I specify post size limit to 4G I would hazard a guess that you're overflowing a signed 32-bit int by specifying 4gig, but I could be wrong. It's certainly not the issue. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
Sounds like you need a Java applet. I have little experience with this, but I know that quite a few exist. I have no idea if any of them support sending meta data with the upload. I suggest you start Googling. Even java applets have to hand over the file to some script, in this case php and php will get it in $_FILES array it seems (in case of japplet). so the problem will remain. - Original Message - From: Stut [EMAIL PROTECTED] To: Sukhwinder Singh [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Thursday, June 07, 2007 8:56 PM Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs Sukhwinder Singh wrote: Thanks for your reply. So you are saying I cannot do it using php. These files have to be uploaded locally but using web interface and I have to pass some parameters along with file upload to update the database after upload is successful. Also I have to rename the file after it is uploaded. Any utility which allows this? Sounds like you need a Java applet. I have little experience with this, but I know that quite a few exist. I have no idea if any of them support sending meta data with the upload. I suggest you start Googling. -Stut - Original Message - From: Stut [EMAIL PROTECTED] To: Sukhwinder Singh [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Thursday, June 07, 2007 8:35 PM Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs Sukhwinder Singh wrote: I want to allow uploading of huge video files, which may be as big as 4 GB. But when I try to set post_max_size = 4G upload_max_filesize = 4G in php.ini, it doesn't work and everything in post (posted data) is ignored. I get a warning about size of posted data greater than some negative number. I read somewhere that php stores this data in integer. I have tested it on 64 bit system (php 5.1.6 installed on Mandriva 2007.0) as well as 32 bit system (php 5.2.2 installed on windows xp sp2). Value up to, I think, 2147483647 bytes or ( around 1.999.. gb) works We need to allow uploading of 4 GB files. Is there any solution. Yeah, don't use HTTP. Seriously, HTTP is a crappy mechanism for uploading files, especially large ones. And by large ones I mean ~20MB!! You need to look into maybe a java applet, or just plain FTP/SFTP/SCP for files that big. HTTP was never designed to handle uploading files of that size. For a start there is no facility to restart the upload should it get interrupted and fail. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
Rumor has it that uploaded files are stored in memory before being committed to disk. If so, the amount of free RAM available to PHP would be the limit to the filesize regardless of the ini file settings. I don't think that is the case. File is written to temp directory as it is uploaded. And the qeustion is of php having negative values after I specify post size limit to 4G There is a comment in the documentation for move_uploaded_file() that indicates the entire file is saved in memory prior to writing to the temporary upload area. Maybe this is not true. Read it for yourself. Its just a comment, so who knows? Also, there is an indication that you may need to tweak memory_limit in php.ini. You should probably use another method of transport for files that large. FTP immediately comes to mind. You mean ftp client? Like cute ftp. If yes, the problem is that along with uploading the file I also have to update database to associate that file with some user etc. It needs to be web based. After a quick search I found an applet that handles file uploads, and can use FTP as the transport protocol. http://radinks.com/upload/ JM -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
Sukhwinder Singh wrote: Sounds like you need a Java applet. I have little experience with this, but I know that quite a few exist. I have no idea if any of them support sending meta data with the upload. I suggest you start Googling. Even java applets have to hand over the file to some script, in this case php and php will get it in $_FILES array it seems (in case of japplet). so the problem will remain. Not at all true. A Java applet can use FTP to handle the upload and still pass meta data about the file as an HTTP POST request. There is no requirement to use HTTP to upload the file from a Java applet. -Stut - Original Message - From: Stut [EMAIL PROTECTED] To: Sukhwinder Singh [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Thursday, June 07, 2007 8:56 PM Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs Sukhwinder Singh wrote: Thanks for your reply. So you are saying I cannot do it using php. These files have to be uploaded locally but using web interface and I have to pass some parameters along with file upload to update the database after upload is successful. Also I have to rename the file after it is uploaded. Any utility which allows this? Sounds like you need a Java applet. I have little experience with this, but I know that quite a few exist. I have no idea if any of them support sending meta data with the upload. I suggest you start Googling. -Stut - Original Message - From: Stut [EMAIL PROTECTED] To: Sukhwinder Singh [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Thursday, June 07, 2007 8:35 PM Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs Sukhwinder Singh wrote: I want to allow uploading of huge video files, which may be as big as 4 GB. But when I try to set post_max_size = 4G upload_max_filesize = 4G in php.ini, it doesn't work and everything in post (posted data) is ignored. I get a warning about size of posted data greater than some negative number. I read somewhere that php stores this data in integer. I have tested it on 64 bit system (php 5.1.6 installed on Mandriva 2007.0) as well as 32 bit system (php 5.2.2 installed on windows xp sp2). Value up to, I think, 2147483647 bytes or ( around 1.999.. gb) works We need to allow uploading of 4 GB files. Is there any solution. Yeah, don't use HTTP. Seriously, HTTP is a crappy mechanism for uploading files, especially large ones. And by large ones I mean ~20MB!! You need to look into maybe a java applet, or just plain FTP/SFTP/SCP for files that big. HTTP was never designed to handle uploading files of that size. For a start there is no facility to restart the upload should it get interrupted and fail. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
Even java applets have to hand over the file to some script, in this case php and php will get it in $_FILES array it seems (in case of japplet). so the problem will remain. Not at all true. A Java applet can use FTP to handle the upload and still pass meta data about the file as an HTTP POST request. There is no requirement to use HTTP to upload the file from a Java applet. It is not about how data is going to be transferred but it is about php having a limit on what it can accept as POST. But we'll see how it works out. I'll let everyone know. I am trying japplet for now. Thanks for replying. Sukhwinder Singh - Original Message - From: Stut [EMAIL PROTECTED] To: Sukhwinder Singh [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Friday, June 08, 2007 1:28 AM Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs Sukhwinder Singh wrote: Sounds like you need a Java applet. I have little experience with this, but I know that quite a few exist. I have no idea if any of them support sending meta data with the upload. I suggest you start Googling. Even java applets have to hand over the file to some script, in this case php and php will get it in $_FILES array it seems (in case of japplet). so the problem will remain. Not at all true. A Java applet can use FTP to handle the upload and still pass meta data about the file as an HTTP POST request. There is no requirement to use HTTP to upload the file from a Java applet. -Stut - Original Message - From: Stut [EMAIL PROTECTED] To: Sukhwinder Singh [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Thursday, June 07, 2007 8:56 PM Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs Sukhwinder Singh wrote: Thanks for your reply. So you are saying I cannot do it using php. These files have to be uploaded locally but using web interface and I have to pass some parameters along with file upload to update the database after upload is successful. Also I have to rename the file after it is uploaded. Any utility which allows this? Sounds like you need a Java applet. I have little experience with this, but I know that quite a few exist. I have no idea if any of them support sending meta data with the upload. I suggest you start Googling. -Stut - Original Message - From: Stut [EMAIL PROTECTED] To: Sukhwinder Singh [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Thursday, June 07, 2007 8:35 PM Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs Sukhwinder Singh wrote: I want to allow uploading of huge video files, which may be as big as 4 GB. But when I try to set post_max_size = 4G upload_max_filesize = 4G in php.ini, it doesn't work and everything in post (posted data) is ignored. I get a warning about size of posted data greater than some negative number. I read somewhere that php stores this data in integer. I have tested it on 64 bit system (php 5.1.6 installed on Mandriva 2007.0) as well as 32 bit system (php 5.2.2 installed on windows xp sp2). Value up to, I think, 2147483647 bytes or ( around 1.999.. gb) works We need to allow uploading of 4 GB files. Is there any solution. Yeah, don't use HTTP. Seriously, HTTP is a crappy mechanism for uploading files, especially large ones. And by large ones I mean ~20MB!! You need to look into maybe a java applet, or just plain FTP/SFTP/SCP for files that big. HTTP was never designed to handle uploading files of that size. For a start there is no facility to restart the upload should it get interrupted and fail. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
Sukhwinder Singh wrote: Even java applets have to hand over the file to some script, in this case php and php will get it in $_FILES array it seems (in case of japplet). so the problem will remain. Not at all true. A Java applet can use FTP to handle the upload and still pass meta data about the file as an HTTP POST request. There is no requirement to use HTTP to upload the file from a Java applet. It is not about how data is going to be transferred but it is about php having a limit on what it can accept as POST. But we'll see how it works out. I'll let everyone know. I am trying japplet for now. You don't appear to have read what I said. A Java applet can use FTP to upload the file - PHP does not get involved in that part. Once the upload is complete the applet can POST to your PHP file giving it information like where it's put the file and this other information you need to give it so it can rename the file. This is the only bit PHP gets involved in and it doesn't involve trying to upload 4 gig over a machanism that was never designed for it. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs
You don't appear to have read what I said. A Java applet can use FTP to upload the file - PHP does not get involved in that part. Once the upload is complete the applet can POST to your PHP file giving it information like where it's put the file and this other information you need to give it so it can rename the file. This is the only bit PHP gets involved in and it doesn't involve trying to upload 4 gig over a machanism that was never designed for it. Thanks again for replying. I have read. I have been trying to find out way for last two days. I can say about jupload and how it seems to work. It uploads file to server in a temporary directory. It has postURL parameter. Then it POSTS the data to php file. Because it POSTS, the php configuration values comes into question. Here is an example: Settings in php.ini are 50M for upload_max_fisesize and 50M for post_max_size. I used japplet and uploaded a 51.89 MB file. This is what is in error log. [08-Jun-2007 03:06:29] PHP Warning: POST Content-Length of 54414946 bytes exceeds the limit of 52428800 bytes in Unknown on line 0 [08-Jun-2007 03:06:29] PHP Notice: Undefined index: File0 in E:\projects\ice\post_test.php on line 13 File0 is the first file in $_FILES array, as POST fails I don't get that array. I uploaded a 48 MB file and it worked without any problem. Sukhwinder Singh - Original Message - From: Stut [EMAIL PROTECTED] To: Sukhwinder Singh [EMAIL PROTECTED] Cc: php-general@lists.php.net Sent: Friday, June 08, 2007 2:10 AM Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs Sukhwinder Singh wrote: Even java applets have to hand over the file to some script, in this case php and php will get it in $_FILES array it seems (in case of japplet). so the problem will remain. Not at all true. A Java applet can use FTP to handle the upload and still pass meta data about the file as an HTTP POST request. There is no requirement to use HTTP to upload the file from a Java applet. It is not about how data is going to be transferred but it is about php having a limit on what it can accept as POST. But we'll see how it works out. I'll let everyone know. I am trying japplet for now. You don't appear to have read what I said. A Java applet can use FTP to upload the file - PHP does not get involved in that part. Once the upload is complete the applet can POST to your PHP file giving it information like where it's put the file and this other information you need to give it so it can rename the file. This is the only bit PHP gets involved in and it doesn't involve trying to upload 4 gig over a machanism that was never designed for it. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
At 6:43 PM -0500 9/26/06, Richard Lynch wrote: On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote: -- Since I'm only allowing image uploads, I can strictly filter which files are allowed to be uploaded (with extension checks and get_image_size). Extension check is kinda useless... I can name any file I want with .jpg and upload it. get_image_size() is good, as it checks the first N bytes -- But somebody somewhere can construct a worm with the first N bytes that LOOK like a valid image, to get_image_size() A human eyeball check would be even better, as then you *know* that a much larger number of bytes are a valid image. It could still be image+worm with the worm tacked on at the end, and a valid image at the front, which the browser would probably just go ahead and display as valid image. :-( The odds of somebody able to construct a valid-looking image whose exact byte sequence is also a worm are pretty low, but not impossible... :-) That's one of the reasons why I resize images I upload -- image files are never stored as-is. I figure that any possible worms contained therein will probably be damaged beyond working after a shuffle. After all, code is usually sensitive to alteration. So when you read advice to use 0777 you can immediately change that to 0700, because the only access needed is for you, not your group, and not the world of other users on that machine. Excellent point -- thanks. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
On Wed, September 27, 2006 10:11 am, tedd wrote: So when you read advice to use 0777 you can immediately change that to 0700, because the only access needed is for you, not your group, and not the world of other users on that machine. Excellent point -- thanks. This applies only to Andy -- or those whose server runs as themself Tedd, whose server runs as nobody or some other user, still need 0777 or the FTP hoop-jumping. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
So I've been trying to figure out where php uploads files to temporarily store them before I move them to their permanent storage directory, and I'm having some difficulties: -- php_info() says the temporary file upload directory is /tmp but I don't know if that's relative to my root directory or what and can't figure out from the documentation how that path is displayed. -- I have tried to call pathinfo() and realpath() on my $_FILES['name']['tmp_name'] file before it is moved, but neither gives the full path to the file (which I realized after reading the documentation that neither is supposed to do). Any ideas on functions that will give the full path of the inputted file? I've been searching the php documentation and general list but to no avail. On the plus side, I did get to practice writing information to a text file, so that was fun :) Thanks for the tips on the chmod requirements for the get_image_size() function, I'm all about keep permissions as strict as possible at this point! Crap, gotta use my brain, huh? :) Seriously, thanks for the overview on how security should be approached and for the advice to not take general security recommendations at face value but to give them some thought, given my unique situation. This is really good for me to learn now, while I'm still implementing my security rather than later when I might have to redo everything (or might have a gaping hole based on a poor assumption). At least I won't be storing anyone's financial information, so I should only be a target for people who just want to be mean, but not people who want to get free stuff from others credit info. Maybe I should have one of those disclaimers posted on my homepage like the ones that you see in taxis sometimes: This driver never carries more than $20 cash. -- This website never carries anyone's financial information. :) Andy On 9/26/06, Richard Lynch [EMAIL PROTECTED] wrote: On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote: So I tried to implement the example code given in the php tmpfile() documentation and it wouldn't do anything, which suggests that I don't have access to the /tmp directory. Also, the FAQ's section on my server's website say that /tmp is not shared between the servers. So, looks like /tmp option is out... Did they perhaps give you your own tmp directory elsewhere?... Sometimes you just need to poke at it to figure out where your tmp is, and then you can use the PHP functions that let you specify your own directory, but not the ones that assume that system /tmp is your tmp My host has a tmp dir I can use, but it ain't /tmp, and PHP routinely tries to use /tmp with some functions. G. So, let me see if I understand the situation I'm looking at here: The bad side: -- I don't have any place to put uploaded files outside of my webtree, which makes it tough to ensure these files cannot be surfed to once they are uploaded, and also means I have to do my security checks while the files are within my webtree and potentially accessible. (BAD). Yes. Though if file uploads are working at all, looking at the $_FILES array may give you a clue as to a directory that you maybe *can* access which is your own private tmp... -- Any php script on my server (created by me or somehow maliciously uploaded) can do whatever it wants within my account because all php scripts run as me. (also BAD). On the plus side, some of the coding gets real simple, since you are you, and you are never somebody else. :-) The good side: -- Uploaded files can be chmod so that nobody can read them, then I chmod them when I need to use them. This adds a layer of protection for completely uploaded files. I assume this will not help with files while they are getting their security checks, since PHP has to be able to read and execute them in order to run the checks (get_image_size, etc.)? PHP needs to read them for get_image_size, but not execute. Use minimum force needed. If you are flipping the chmod around within your scripts, that reduces your risk to however long the dir remains in its 0777 (or whatever) state, which is however long your script takes to process whatever it has to process in that state. So long exhaustive checks of the validity of a file are bad because that leaves that window open longer, but they're good because the file is then more likely to be kosher. -- Since I'm only allowing image uploads, I can strictly filter which files are allowed to be uploaded (with extension checks and get_image_size). Extension check is kinda useless... I can name any file I want with .jpg and upload it. get_image_size() is good, as it checks the first N bytes -- But somebody somewhere can construct a worm with the first N bytes that LOOK like a valid image, to get_image_size() A human eyeball check would be even better, as then you *know* that a much larger number of bytes are a valid image. It could still be image+worm with the worm
Re: [PHP] File Upload Security and chmod
On Wed, September 27, 2006 12:12 pm, Andy Hultgren wrote: So I've been trying to figure out where php uploads files to temporarily store them before I move them to their permanent storage directory, and I'm having some difficulties: -- php_info() says the temporary file upload directory is /tmp but I don't know if that's relative to my root directory or what and can't figure out from the documentation how that path is displayed. /tmp means the /tmp on the root of the hard drive, which your webhost allegedly isn't letting you share... HOWEVER: It is entirely possible (nay, even likely) that they have you in a ch-rooted environment where your /tmp is not somebody else's /tmp so you'll just see /tmp and you don't have to worry about the fact that it's not really really /tmp but somewhere else... -- I have tried to call pathinfo() and realpath() on my $_FILES['name']['tmp_name'] file before it is moved, but neither gives the full path to the file If $_FILES['name']['tmp_name'] does already have the full path, something is very wrong on your system... Note that as soon as your upload-receiving script ends, the file is deleted. You *have* to use move_uploaded_file() on it in the upload-receiving script to save the file somewhere else, or it's just gonna go away, and you ain't gonna see it never again. Maybe I should have one of those disclaimers posted on my homepage like the ones that you see in taxis sometimes: This driver never carries more than $20 cash. -- This website never carries anyone's financial information. :) :-) While there are obviously people out there who will just attack randomly, (spammers) I honestly believe that a valuable/useful/warm-fuzzies site (in the eyes of the attackers) is a much less likely target for an actual human attack. I have absolutely zero evidence to support that claim, other than one site that's been wide open to abuse for most of a decade, and only the mindless spam-bots bother it... :-) -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
Well, seeing as I have no directory anywhere in my file structure called /tmp and yet my file uploads are still working, it would appear that my temporary file upload directory /tmp given by php_info() is somewhere outside of my root directory. So that's good news! That's were I'll be doing my file checks anyway before moving any files into my root directory. Anyway, at this point it looks like I need to buckle down and do some thinkin'. Thank you everyone for your advice, I really really appreciate it!! You guys have given me a really good foundation to start from on these questions of site security, and I appreciate you taking the time to pass on your expertise to a newcomer. All the best, Andy On 9/27/06, Richard Lynch [EMAIL PROTECTED] wrote: On Wed, September 27, 2006 12:12 pm, Andy Hultgren wrote: So I've been trying to figure out where php uploads files to temporarily store them before I move them to their permanent storage directory, and I'm having some difficulties: -- php_info() says the temporary file upload directory is /tmp but I don't know if that's relative to my root directory or what and can't figure out from the documentation how that path is displayed. /tmp means the /tmp on the root of the hard drive, which your webhost allegedly isn't letting you share... HOWEVER: It is entirely possible (nay, even likely) that they have you in a ch-rooted environment where your /tmp is not somebody else's /tmp so you'll just see /tmp and you don't have to worry about the fact that it's not really really /tmp but somewhere else... -- I have tried to call pathinfo() and realpath() on my $_FILES['name']['tmp_name'] file before it is moved, but neither gives the full path to the file If $_FILES['name']['tmp_name'] does already have the full path, something is very wrong on your system... Note that as soon as your upload-receiving script ends, the file is deleted. You *have* to use move_uploaded_file() on it in the upload-receiving script to save the file somewhere else, or it's just gonna go away, and you ain't gonna see it never again. Maybe I should have one of those disclaimers posted on my homepage like the ones that you see in taxis sometimes: This driver never carries more than $20 cash. -- This website never carries anyone's financial information. :) :-) While there are obviously people out there who will just attack randomly, (spammers) I honestly believe that a valuable/useful/warm-fuzzies site (in the eyes of the attackers) is a much less likely target for an actual human attack. I have absolutely zero evidence to support that claim, other than one site that's been wide open to abuse for most of a decade, and only the mindless spam-bots bother it... :-) -- Like Music? http://l-i-e.com/artists.htm
Re: [PHP] File Upload Security and chmod
The FTP will be slower, almost for sure.
He's doing it because he can FTP in as himself, and not as the
nobody user Apache runs as.
Your webhost has you running as yourself already, so you can chmod
your files at will in PHP.
On Mon, September 25, 2006 2:11 pm, Andy Hultgren wrote:
Tedd,
Thanks so much your thorough response - it's good to know that I'm not
the
only one trying to figure this out! I'm curious, in your code you use
the
PHP ftp functions, but I have used the PHP functions chmod() and
mkdir()
without establishing an ftp connection. Is it faster to establish an
ftp
connection within PHP and then use the ftp series of functions to
accomplish
all of the directory creation and permissions changes? If so, then I
will
probably change my code to follow yours.
Andy
On 9/25/06, tedd [EMAIL PROTECTED] wrote:
At 9:32 PM -0600 9/24/06, Andy Hultgren wrote:
Hi Tedd,
Yes, when I browse to www.myDomain.com I get the index.html file,
and so
I
have been leaving the .public_html/ directory alone since it is not
my
root. I'm curious, what you described is exactly what I'm trying
to do -
what permissions do you set the parent folder at when you are
finished
uploading/saving/downloading/etc.? I have my uploaded_images/
directory set at chmod 0100 and I can still browse to an uploaded
image
from
my file upload page... Thanks for your response,
Andy:
I ran into the same problem trying to work with, and understand,
permissions on a virtual host. When I asked this gang about
permissions some time back, I received answers that ranged from RTFM
to calling me stupid for using 0777, but none answered my question.
No fault of the gang, I probably didn't ask the question correctly.
In any event, I felt too stupid to ask the question again, so I went
elsewhere looking for answers and eventually found something that
works for me.
Some consider me a novice, so I'll ask the gang to overview my
comments to make sure that I'm not guiding you down the wrong path.
As you know, the key to setting the permissions of a file depends
upon the permissions the parent folder. If the parent folder
permission is set to 0777, then we can change any files inside the
folder as we want. However, that also presents a major security hole
because then anyone can use that folder to upload and run evil code.
So, the key problem is how to alter parent folder permissions.
With virtual hosting, we can upload, manage, and set permissions as
we want via our FTP connection software. So, I thought perhaps php
had something like that and as such I discovered how to ftp connect
via php.
Now, not all php ftp_commands are available to php 4, but you can
connect to your site and change permissions of folders, which is
what
we actually need. So, if you want to do something with a file: then
change the folder permissions of the folder that holds it; do
whatever you want with the file; and then change the folder
permissions back to something safe.
You can also create new folders if you want using the command
ftp_mkdir().
Note, the beginning of the ftp_paths are different than url paths we
would normally use to locate a file. For example:
An example web path:
http://www.yourdomain.com/rw/tmp/text.txt
An example symbolic link:
public_html/rw/tmp/text.txt
The following code will show you an example of how this works. Just
put in your own domain, user id, password, and correct paths and try
it out. Change the permissions in the code and watch how the file
permissions change.
Please let me know if this works for you -- watch for line breaks.
hth's
tedd
PS: I don't know what to say about your .public_html/ directory,
but I would just leave it alone.
---
// how to call the function
?php
$ftp_path = public_html/rw/; // note the ftp path
$theDir = tmp;
$theFile =text.txt;
FtpPerms($ftp_path, $theDir, $theFile);
?
// the function
?php
// create directory and change permissions via FTP connection
function FtpPerms($path, $theDir, $theFile)
{
$server='ftp.yourdomain.com'; // ftp server
$connection = ftp_connect($server); // connection
$user = you;
$pass = yourpassword;
$result = ftp_login($connection, $user, $pass); // login to ftp
server
if ((!$connection) || (!$result))
{
echo(No connectionbr/);
return false;
exit();
}
else
{
echo(Made connectionbr/);
ftp_chdir($connection, $path); // go to destination dir
echo(Change permissionbr/);
$str=CHMOD 0755 . $theDir; // change permissions for dir (note
the
space after 0775 )
ftp_site($connection, $str);
echo($strbr/);
$filename = $theDir/$theFile;
$contents = This is the contents of the file.;
echo(hrbr/Writing file br/br/);
$file = fopen( $filename, w );
fwrite( $file, $contents);
fclose( $file );
chmod($filename,0755);
echo(Change permissionbr/);
$str=CHMOD 0600 . $theDir; // change permissions back for dir
ftp_site($connection, $str);
echo($strbr/);
Re: [PHP] File Upload Security and chmod
On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote: So I tried to implement the example code given in the php tmpfile() documentation and it wouldn't do anything, which suggests that I don't have access to the /tmp directory. Also, the FAQ's section on my server's website say that /tmp is not shared between the servers. So, looks like /tmp option is out... Did they perhaps give you your own tmp directory elsewhere?... Sometimes you just need to poke at it to figure out where your tmp is, and then you can use the PHP functions that let you specify your own directory, but not the ones that assume that system /tmp is your tmp My host has a tmp dir I can use, but it ain't /tmp, and PHP routinely tries to use /tmp with some functions. G. So, let me see if I understand the situation I'm looking at here: The bad side: -- I don't have any place to put uploaded files outside of my webtree, which makes it tough to ensure these files cannot be surfed to once they are uploaded, and also means I have to do my security checks while the files are within my webtree and potentially accessible. (BAD). Yes. Though if file uploads are working at all, looking at the $_FILES array may give you a clue as to a directory that you maybe *can* access which is your own private tmp... -- Any php script on my server (created by me or somehow maliciously uploaded) can do whatever it wants within my account because all php scripts run as me. (also BAD). On the plus side, some of the coding gets real simple, since you are you, and you are never somebody else. :-) The good side: -- Uploaded files can be chmod so that nobody can read them, then I chmod them when I need to use them. This adds a layer of protection for completely uploaded files. I assume this will not help with files while they are getting their security checks, since PHP has to be able to read and execute them in order to run the checks (get_image_size, etc.)? PHP needs to read them for get_image_size, but not execute. Use minimum force needed. If you are flipping the chmod around within your scripts, that reduces your risk to however long the dir remains in its 0777 (or whatever) state, which is however long your script takes to process whatever it has to process in that state. So long exhaustive checks of the validity of a file are bad because that leaves that window open longer, but they're good because the file is then more likely to be kosher. -- Since I'm only allowing image uploads, I can strictly filter which files are allowed to be uploaded (with extension checks and get_image_size). Extension check is kinda useless... I can name any file I want with .jpg and upload it. get_image_size() is good, as it checks the first N bytes -- But somebody somewhere can construct a worm with the first N bytes that LOOK like a valid image, to get_image_size() A human eyeball check would be even better, as then you *know* that a much larger number of bytes are a valid image. It could still be image+worm with the worm tacked on at the end, and a valid image at the front, which the browser would probably just go ahead and display as valid image. :-( The odds of somebody able to construct a valid-looking image whose exact byte sequence is also a worm are pretty low, but not impossible... :-) (Plus all the stuff talked about in the PHP Security Guide provided by the PHP Security Consortium for html POSTs, MySQL stuff, cookies, etc. Well, all of it that I can implement without having access to a directory outside of my webtree anyway). Be careful. It's entirely possible that *some* of the advice would put you at higher risk with your setup, if their assumption is the nobody user and a directory outside web-tree. So just because you *CAN* implement your advice in your situation, won't mean you should. You're going to have to examine every little thing on a case-by-case basis with your Security Hat on firmly -- Which means thinking If I was Evil, how would I break this? So, given this situation (if I've got it right), I have two questions: 1) With the above as is, am I just asking for anyone to come in and tear my site apart? I am not an experienced web developer (obviously), but I love to read. Is that enough to build a secure site, or am I just way in over my head? There's no such thing as a secure site... A secure site is not an off/on switch. It's more a gradient from horrible to very strong. And the act of building a Secure site is not even just a question of following all the rules in http://phpsec.org and so on. It's a thought process, a living breathing intelligent human actually *thinking* about what they are doing, and what the Risks are, and what the Benefits are, and trying to consider every possible angle of every decision. Are you building an e-commerce site, right out of the gate, on a server configured like this? Bad Idea. Are you building just a photo upload site? Probably
Re: [PHP] File Upload Security and chmod
At 9:32 PM -0600 9/24/06, Andy Hultgren wrote:
Hi Tedd,
Yes, when I browse to www.myDomain.com I get the index.html file, and so I
have been leaving the .public_html/ directory alone since it is not my
root. I'm curious, what you described is exactly what I'm trying to do -
what permissions do you set the parent folder at when you are finished
uploading/saving/downloading/etc.? I have my uploaded_images/
directory set at chmod 0100 and I can still browse to an uploaded image from
my file upload page... Thanks for your response,
Andy:
I ran into the same problem trying to work with, and understand,
permissions on a virtual host. When I asked this gang about
permissions some time back, I received answers that ranged from RTFM
to calling me stupid for using 0777, but none answered my question.
No fault of the gang, I probably didn't ask the question correctly.
In any event, I felt too stupid to ask the question again, so I went
elsewhere looking for answers and eventually found something that
works for me.
Some consider me a novice, so I'll ask the gang to overview my
comments to make sure that I'm not guiding you down the wrong path.
As you know, the key to setting the permissions of a file depends
upon the permissions the parent folder. If the parent folder
permission is set to 0777, then we can change any files inside the
folder as we want. However, that also presents a major security hole
because then anyone can use that folder to upload and run evil code.
So, the key problem is how to alter parent folder permissions.
With virtual hosting, we can upload, manage, and set permissions as
we want via our FTP connection software. So, I thought perhaps php
had something like that and as such I discovered how to ftp connect
via php.
Now, not all php ftp_commands are available to php 4, but you can
connect to your site and change permissions of folders, which is what
we actually need. So, if you want to do something with a file: then
change the folder permissions of the folder that holds it; do
whatever you want with the file; and then change the folder
permissions back to something safe.
You can also create new folders if you want using the command ftp_mkdir().
Note, the beginning of the ftp_paths are different than url paths we
would normally use to locate a file. For example:
An example web path:
http://www.yourdomain.com/rw/tmp/text.txt
An example symbolic link:
public_html/rw/tmp/text.txt
The following code will show you an example of how this works. Just
put in your own domain, user id, password, and correct paths and try
it out. Change the permissions in the code and watch how the file
permissions change.
Please let me know if this works for you -- watch for line breaks.
hth's
tedd
PS: I don't know what to say about your .public_html/ directory,
but I would just leave it alone.
---
// how to call the function
?php
$ftp_path = public_html/rw/; // note the ftp path
$theDir = tmp;
$theFile =text.txt;
FtpPerms($ftp_path, $theDir, $theFile);
?
// the function
?php
// create directory and change permissions via FTP connection
function FtpPerms($path, $theDir, $theFile)
{
$server='ftp.yourdomain.com'; // ftp server
$connection = ftp_connect($server); // connection
$user = you;
$pass = yourpassword;
$result = ftp_login($connection, $user, $pass); // login to ftp server
if ((!$connection) || (!$result))
{
echo(No connectionbr/);
return false;
exit();
}
else
{
echo(Made connectionbr/);
ftp_chdir($connection, $path); // go to destination dir
echo(Change permissionbr/);
$str=CHMOD 0755 . $theDir; // change permissions for dir (note the
space after 0775 )
ftp_site($connection, $str);
echo($strbr/);
$filename = $theDir/$theFile;
$contents = This is the contents of the file.;
echo(hrbr/Writing file br/br/);
$file = fopen( $filename, w );
fwrite( $file, $contents);
fclose( $file );
chmod($filename,0755);
echo(Change permissionbr/);
$str=CHMOD 0600 . $theDir; // change permissions back for dir
ftp_site($connection, $str);
echo($strbr/);
echo(Close connectionbr/);
ftp_close($connection); // close connection
}
}
?
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
Tedd,
Thanks so much your thorough response - it's good to know that I'm not the
only one trying to figure this out! I'm curious, in your code you use the
PHP ftp functions, but I have used the PHP functions chmod() and mkdir()
without establishing an ftp connection. Is it faster to establish an ftp
connection within PHP and then use the ftp series of functions to accomplish
all of the directory creation and permissions changes? If so, then I will
probably change my code to follow yours.
Andy
On 9/25/06, tedd [EMAIL PROTECTED] wrote:
At 9:32 PM -0600 9/24/06, Andy Hultgren wrote:
Hi Tedd,
Yes, when I browse to www.myDomain.com I get the index.html file, and so
I
have been leaving the .public_html/ directory alone since it is not my
root. I'm curious, what you described is exactly what I'm trying to do -
what permissions do you set the parent folder at when you are finished
uploading/saving/downloading/etc.? I have my uploaded_images/
directory set at chmod 0100 and I can still browse to an uploaded image
from
my file upload page... Thanks for your response,
Andy:
I ran into the same problem trying to work with, and understand,
permissions on a virtual host. When I asked this gang about
permissions some time back, I received answers that ranged from RTFM
to calling me stupid for using 0777, but none answered my question.
No fault of the gang, I probably didn't ask the question correctly.
In any event, I felt too stupid to ask the question again, so I went
elsewhere looking for answers and eventually found something that
works for me.
Some consider me a novice, so I'll ask the gang to overview my
comments to make sure that I'm not guiding you down the wrong path.
As you know, the key to setting the permissions of a file depends
upon the permissions the parent folder. If the parent folder
permission is set to 0777, then we can change any files inside the
folder as we want. However, that also presents a major security hole
because then anyone can use that folder to upload and run evil code.
So, the key problem is how to alter parent folder permissions.
With virtual hosting, we can upload, manage, and set permissions as
we want via our FTP connection software. So, I thought perhaps php
had something like that and as such I discovered how to ftp connect
via php.
Now, not all php ftp_commands are available to php 4, but you can
connect to your site and change permissions of folders, which is what
we actually need. So, if you want to do something with a file: then
change the folder permissions of the folder that holds it; do
whatever you want with the file; and then change the folder
permissions back to something safe.
You can also create new folders if you want using the command ftp_mkdir().
Note, the beginning of the ftp_paths are different than url paths we
would normally use to locate a file. For example:
An example web path:
http://www.yourdomain.com/rw/tmp/text.txt
An example symbolic link:
public_html/rw/tmp/text.txt
The following code will show you an example of how this works. Just
put in your own domain, user id, password, and correct paths and try
it out. Change the permissions in the code and watch how the file
permissions change.
Please let me know if this works for you -- watch for line breaks.
hth's
tedd
PS: I don't know what to say about your .public_html/ directory,
but I would just leave it alone.
---
// how to call the function
?php
$ftp_path = public_html/rw/; // note the ftp path
$theDir = tmp;
$theFile =text.txt;
FtpPerms($ftp_path, $theDir, $theFile);
?
// the function
?php
// create directory and change permissions via FTP connection
function FtpPerms($path, $theDir, $theFile)
{
$server='ftp.yourdomain.com'; // ftp server
$connection = ftp_connect($server); // connection
$user = you;
$pass = yourpassword;
$result = ftp_login($connection, $user, $pass); // login to ftp server
if ((!$connection) || (!$result))
{
echo(No connectionbr/);
return false;
exit();
}
else
{
echo(Made connectionbr/);
ftp_chdir($connection, $path); // go to destination dir
echo(Change permissionbr/);
$str=CHMOD 0755 . $theDir; // change permissions for dir (note the
space after 0775 )
ftp_site($connection, $str);
echo($strbr/);
$filename = $theDir/$theFile;
$contents = This is the contents of the file.;
echo(hrbr/Writing file br/br/);
$file = fopen( $filename, w );
fwrite( $file, $contents);
fclose( $file );
chmod($filename,0755);
echo(Change permissionbr/);
$str=CHMOD 0600 . $theDir; // change permissions back for dir
ftp_site($connection, $str);
echo($strbr/);
echo(Close connectionbr/);
ftp_close($connection); // close connection
}
}
?
--
---
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
On 9/25/06, Andy Hultgren [EMAIL PROTECTED] wrote: Tedd, Thanks so much your thorough response - it's good to know that I'm not the only one trying to figure this out! I'm curious, in your code you use the PHP ftp functions, but I have used the PHP functions chmod() and mkdir() without establishing an ftp connection. Is it faster to establish an ftp connection within PHP and then use the ftp series of functions to accomplish all of the directory creation and permissions changes? If so, then I will probably change my code to follow yours. Andy By using FTP you can specify which user account you want the connection to be established at. When running a PHP script the script will be running by the Apache server, which means it will have specific permission levels which cannot create directories or chmod unless Apache owns the parent directory. That is why Tedd went through all that trouble.
Re: [PHP] File Upload Security and chmod
Andy: It was never a question of speed for me -- it was a question of being able to change file permissions from within a php script so that I could create and write files safely. You see, I am *not* able to use chmod() within a php script at all regardless of what permissions the file and parent folder have -- even when both are set to 0777. To do any permissions changing from within a php script I am forced to resort to a ftp connection as I previously described. I can't even create a file, nor open a file for writing, without the parent folder having 0777 permissions. The only option I had was to set parent folders to 0777 and leave them that way, and I wasn't going to do that for security reasons. Now, perhaps something is wrong with my server (or me) -- but -- I have more than one server and the same tests held true for all of them. So, if you can chmod() and mkdir() from within your php script without establishing an ftp connection, then more power to you, because I can't. And that's the reason I use ftp_login. I thought that you had the same problem. Now, perhaps I should RTFM again -- but -- I have read it and I have not found another method that works to change permissions other than to use ftp_logon. I suspect that this problem may be pretty obvious to the gang, but I don't know if anyone cares to comment. Comments? tedd --- At 1:11 PM -0600 9/25/06, Andy Hultgren wrote: Tedd, Thanks so much your thorough response - it's good to know that I'm not the only one trying to figure this out! I'm curious, in your code you use the PHP ftp functions, but I have used the PHP functions chmod() and mkdir() without establishing an ftp connection. Is it faster to establish an ftp connection within PHP and then use the ftp series of functions to accomplish all of the directory creation and permissions changes? If so, then I will probably change my code to follow yours. Andy On 9/25/06, tedd mailto:[EMAIL PROTECTED][EMAIL PROTECTED] wrote: At 9:32 PM -0600 9/24/06, Andy Hultgren wrote: Hi Tedd, Yes, when I browse to http://www.myDomain.com www.myDomain.com I get the index.html file, and so I have been leaving the .public_html/ directory alone since it is not my root. I'm curious, what you described is exactly what I'm trying to do - what permissions do you set the parent folder at when you are finished uploading/saving/downloading/etc.? I have my uploaded_images/ directory set at chmod 0100 and I can still browse to an uploaded image from my file upload page... Thanks for your response, Andy: I ran into the same problem trying to work with, and understand, permissions on a virtual host. When I asked this gang about permissions some time back, I received answers that ranged from RTFM to calling me stupid for using 0777, but none answered my question. No fault of the gang, I probably didn't ask the question correctly. In any event, I felt too stupid to ask the question again, so I went elsewhere looking for answers and eventually found something that works for me. Some consider me a novice, so I'll ask the gang to overview my comments to make sure that I'm not guiding you down the wrong path. As you know, the key to setting the permissions of a file depends upon the permissions the parent folder. If the parent folder permission is set to 0777, then we can change any files inside the folder as we want. However, that also presents a major security hole because then anyone can use that folder to upload and run evil code. So, the key problem is how to alter parent folder permissions. With virtual hosting, we can upload, manage, and set permissions as we want via our FTP connection software. So, I thought perhaps php had something like that and as such I discovered how to ftp connect via php. Now, not all php ftp_commands are available to php 4, but you can connect to your site and change permissions of folders, which is what we actually need. So, if you want to do something with a file: then change the folder permissions of the folder that holds it; do whatever you want with the file; and then change the folder permissions back to something safe. You can also create new folders if you want using the command ftp_mkdir(). Note, the beginning of the ftp_paths are different than url paths we would normally use to locate a file. For example: An example web path: http://www.yourdomain.com/rw/tmp/text.txthttp://www.yourdomain.com/rw/tmp/text.txt An example symbolic link: public_html/rw/tmp/text.txt The following code will show you an example of how this works. Just put in your own domain, user id, password, and correct paths and try it out. Change the permissions in the code and watch how the file permissions change. Please let me know if this works for you -- watch for line breaks. hth's tedd PS: I don't know what to say about your .public_html/ directory, but I would just leave it alone. --- // how to call the function ?php $ftp_path =
Re: [PHP] File Upload Security and chmod
Well, that didn't sound too good... So I tried to implement the example code given in the php tmpfile() documentation and it wouldn't do anything, which suggests that I don't have access to the /tmp directory. Also, the FAQ's section on my server's website say that /tmp is not shared between the servers. So, looks like /tmp option is out... So, let me see if I understand the situation I'm looking at here: The bad side: -- I don't have any place to put uploaded files outside of my webtree, which makes it tough to ensure these files cannot be surfed to once they are uploaded, and also means I have to do my security checks while the files are within my webtree and potentially accessible. (BAD). -- Any php script on my server (created by me or somehow maliciously uploaded) can do whatever it wants within my account because all php scripts run as me. (also BAD). The good side: -- Uploaded files can be chmod so that nobody can read them, then I chmod them when I need to use them. This adds a layer of protection for completely uploaded files. I assume this will not help with files while they are getting their security checks, since PHP has to be able to read and execute them in order to run the checks (get_image_size, etc.)? -- Since I'm only allowing image uploads, I can strictly filter which files are allowed to be uploaded (with extension checks and get_image_size). (Plus all the stuff talked about in the PHP Security Guide provided by the PHP Security Consortium for html POSTs, MySQL stuff, cookies, etc. Well, all of it that I can implement without having access to a directory outside of my webtree anyway). So, given this situation (if I've got it right), I have two questions: 1) With the above as is, am I just asking for anyone to come in and tear my site apart? I am not an experienced web developer (obviously), but I love to read. Is that enough to build a secure site, or am I just way in over my head? 2) Imaging that I can convince my host to rebuild my site so that I have access to directories outside of my webtree and can check and save uploaded files there, does that make the situation substantially better? Or is the PHP running as me thing enough alone to raise some serious serious problems (perhaps less around the image uploading but more around a login page or something)? As always, thank you so much for your help. Andy On 9/25/06, Richard Lynch [EMAIL PROTECTED] wrote: On Sun, September 24, 2006 11:04 pm, Andy Hultgren wrote: I really appreciate your help with this. To answer your first question: when people surf to my site they see the stuff next to (outside) .public_html/, not anything within .public_html/. (Thanks by the way for explaining the .dirName invisibility thing, that's one confusing thing not to worry about anymore!) Hmmm. Okay, so you definitely do not have any space outside the webtree. That's bad. Anything you upload is stuck being available to the public, to some degree. :-( You *may* be able to utilize /tmp See if you can write a short little script with http://php.net/tmpfile This will give you and idea if you can stash things in /tmp, at least until you can confirm that they are not Evil. To answer your second question: the uploadedFiles/ directory is 0100, but not the file. The uploaded file itself is 0640. So your login is allowed to read files within the directory, but not to list what's in the directory. Your login and your group can read the file itself. Your login can write the file as well. See next question/answer. Third question: it runs as the same username I use to login to my server's ftp site. This information wasn't in the output of the phpinfo() function (that I could find). I did some searching on php.net and found this entry under the get_current_user() function ( http://us3.php.net/manual/en/function.get-current-user.php, top user contributed note): ** *to get the username of the process owner (rather than the file owner), you can use: **?php $processUser = posix_getpwuid(posix_geteuid**()); print $processUser['name'**]; ? * ** I used this code to find out the user PHP runs as. Is that what you were looking for? Yes. And since PHP runs as you with your login, it can do everything listed above. So you probably cannot surf to the DIRECTORY and get a listing (even if DirectoryIndex is on) but if you know the name of the file in advance, you can surf to it. So if you want to make a file not readable, you have to chmod it so that *YOU* cannot read it. This will be a PITA because then you'll need to chmod it back any time you want to mess with it. As the owner of a file, you are allowed to chmod it so that you yourself cannot read it -- kind of like locking it away in a safe -- and then you have to chmod it back to readable (open the safe) to read it. You still own the file, so you can always chmod it anywhich way you want, at any time. Running your webserver as you gives it a lot of power
Re: [PHP] File Upload Security and chmod
Hey Tedd and Eric, Between the two of you and Richard Lynch's last post, I understand why I can use chmod() and mkdir() within php without having to use the ftp commands: I run on a server that is configured to run my php scripts as username (ie. me!) instead of as nobody (which is much more common). So my php scripts have powers which they probably shouldn't have. So, Tedd, you don't have to go back to the manual it looks like you are exactly right, I'm just on a goofy server which is the exception to the rule (for better or for worse). I really appreciate you guys jumping in a giving me a hand. Hopefully I get good enough at this that I can return the favor sometime!!! Andy On 9/25/06, Eric Butera [EMAIL PROTECTED] wrote: On 9/25/06, Andy Hultgren [EMAIL PROTECTED] wrote: Tedd, Thanks so much your thorough response - it's good to know that I'm not the only one trying to figure this out! I'm curious, in your code you use the PHP ftp functions, but I have used the PHP functions chmod() and mkdir() without establishing an ftp connection. Is it faster to establish an ftp connection within PHP and then use the ftp series of functions to accomplish all of the directory creation and permissions changes? If so, then I will probably change my code to follow yours. Andy By using FTP you can specify which user account you want the connection to be established at. When running a PHP script the script will be running by the Apache server, which means it will have specific permission levels which cannot create directories or chmod unless Apache owns the parent directory. That is why Tedd went through all that trouble.
Re: [PHP] File Upload Security and chmod
Hi Tedd, Yes, when I browse to www.myDomain.com I get the index.html file, and so I have been leaving the .public_html/ directory alone since it is not my root. I'm curious, what you described is exactly what I'm trying to do - what permissions do you set the parent folder at when you are finished uploading/saving/downloading/etc.? I have my uploaded_images/ directory set at chmod 0100 and I can still browse to an uploaded image from my file upload page... Thanks for your response, Andy On 9/23/06, tedd [EMAIL PROTECTED] wrote: At 7:19 PM -0600 9/22/06, Andy Hultgren wrote: For whatever reason when I ftp in using WinFtp I don't see public_html (it's hidden, don't know why; if I make a directory called .public_html it gets created and then disappears), but I can see my file structure from my host's website and so I know that when I ftp in to myDomain.com this is what is there: index.htm page1.htm page2.htm .public_html/ images/ etc. etc. Andy: Sorry, I didn't catch all of the thread, but this is my drift. When you access your site (http://yourdomain.com) via a browser, do you see the above index.htm? If so, and you want to stay with that host, then leave the .public_html/ folder alone, and build your site using WinFTP, or whatever. If you want to change permissions for a file from within a php script, then ftp into your site (using ftp_login), change the parent folder permissions, do your file thing (upload, delete, save, etc.), and then change the parent folder permissions back and it's done. At least that's the way I do it working on a shared host and it works for me. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com
Re: [PHP] File Upload Security and chmod
On Saturday 23 September 2006 01:27, you wrote:
Hi Borge,
host/users/myDomain is the actual directory (and it's the root
directory), and I do not have access to higher directories. So
basically I do not have access to directories higher than my root
directory, which is unfortunate. Also, the way the server is setup
that I am on, I do not have access to the server's tmp file (it is not
shared), I have my own tmp file in my root directory that I use. I
don't know of any other system-wide read/write directory available
either. I'd be putting a lot of data there too (customer uploaded
images) so I really should save them somewhere in my directory and not
in the common server space.
You can start to see my bind... :( Any thoughts greatly appreciated!
Andy
Sounds like cheap b-one hosting of sorts...
thoughts? yes dont use it... Yer site will probably quickly become a playing
ground for other than yerself. A file have to stay inside a quarantined area
for a sanity check before let loose on the system.
Probably the cache of the browser ... for the I can see the page stuff. dunno.
But as I said: Change yer hosting, to something useable and safe.
On 9/22/06, Børge Holen [EMAIL PROTECTED] wrote:
On Friday 22 September 2006 22:58, Andy Hultgren wrote:
Hi,
I am relatively new to php and am trying to set up a file upload
process for my website. I have read through the php security
documentation and a number of the security-related questions on these
lists and am attempting to implement as many of the measures as
possible.
One of the suggestions I have read is to have the uploaded files saved
somewhere outside of your root directory. Unfortunately I cannot do
that as my root directory is simply www.myDomain.com and not
.public_html/ and I am on a shared server where my root cannot be
changed (I have already asked). So, I am trying to keep the
permissions on my saved_files folder as tight as possible except
when the actual upload occurs. I this as follows:
1) The actual file upload comes through Flash8, and when the user
uploads a file it is sent to
www.domain.com/flash8directory/upload.php, which is in the same
directory as the Flash8 upload application.
2) upload.php first chmod 0740 the saved_files folder (which is
located at www.domain.com/flash8directory/saved_files/). Then it does
security checks to make sure an appropriate image has been uploaded,
and if everything looks good it moves the uploaded file to
saved_files.
3) The Flash8 upload application is notified of the completion of the
upload and downloads the new image it its viewer.
4) Once the download is complete and Flash8 no longer needs to work
with the file, the Flash8 application notifies a separate php script
by sending the variable complete=1 to lockdown.php (located at
www.domain.com/flash8directory/lockdown.php), which runs the following
simple script:
?php
$success = 0;
$complete = $_POST['complete'];
if ($complete==1) {
if(chmod(./saved_files, 0100)) {
success = yes;
echo success=yes;
}
}
?
This script works and saved_files is set to chmod 0100, but here is
the problem. If I then navigate directly to the url of the uploaded
file by entering its path in my
browser(www.domain.com/flash8directory/saved_files/uploadedFile.jpg),
the uploaded file appears in my browser! However, if I then refresh
the browser I get the desired error message saying I do not have
permission to access that file. Also, other browser windows never
have access to view the uploaded file, only the browser from which the
file was uploaded.
Any thoughts on why I can view the uploaded file even though it has
been set to chmod 0100? I'd really rather not have those files
accessible to anyone, as an extra security layer.
Thank you for your help!
Andy
I don't quite understand why you cannot save to another catalog.
is www.myDomain.com yer actual directory name of merely the domain?
If either, login to yer domain and simply go either one step up, is that
possible?
You can also make use of a .htaccess file inside a sub directory to keep
others from it till you have checked the file, then move it out in the
open or delete after specifications.
Do you have access to /tmp ? That one is possible to use, in fact any
system wide directory writable by any/you is usable.
--
---
Børge
Kennel Arivene
http://www.arivene.net
---
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
---
Børge
Kennel Arivene
http://www.arivene.net
---
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
At 7:19 PM -0600 9/22/06, Andy Hultgren wrote: For whatever reason when I ftp in using WinFtp I don't see public_html (it's hidden, don't know why; if I make a directory called .public_html it gets created and then disappears), but I can see my file structure from my host's website and so I know that when I ftp in to myDomain.com this is what is there: index.htm page1.htm page2.htm .public_html/ images/ etc. etc. Andy: Sorry, I didn't catch all of the thread, but this is my drift. When you access your site (http://yourdomain.com) via a browser, do you see the above index.htm? If so, and you want to stay with that host, then leave the .public_html/ folder alone, and build your site using WinFTP, or whatever. If you want to change permissions for a file from within a php script, then ftp into your site (using ftp_login), change the parent folder permissions, do your file thing (upload, delete, save, etc.), and then change the parent folder permissions back and it's done. At least that's the way I do it working on a shared host and it works for me. tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
On Friday 22 September 2006 22:58, Andy Hultgren wrote:
Hi,
I am relatively new to php and am trying to set up a file upload
process for my website. I have read through the php security
documentation and a number of the security-related questions on these
lists and am attempting to implement as many of the measures as
possible.
One of the suggestions I have read is to have the uploaded files saved
somewhere outside of your root directory. Unfortunately I cannot do
that as my root directory is simply www.myDomain.com and not
.public_html/ and I am on a shared server where my root cannot be
changed (I have already asked). So, I am trying to keep the
permissions on my saved_files folder as tight as possible except
when the actual upload occurs. I this as follows:
1) The actual file upload comes through Flash8, and when the user
uploads a file it is sent to
www.domain.com/flash8directory/upload.php, which is in the same
directory as the Flash8 upload application.
2) upload.php first chmod 0740 the saved_files folder (which is
located at www.domain.com/flash8directory/saved_files/). Then it does
security checks to make sure an appropriate image has been uploaded,
and if everything looks good it moves the uploaded file to
saved_files.
3) The Flash8 upload application is notified of the completion of the
upload and downloads the new image it its viewer.
4) Once the download is complete and Flash8 no longer needs to work
with the file, the Flash8 application notifies a separate php script
by sending the variable complete=1 to lockdown.php (located at
www.domain.com/flash8directory/lockdown.php), which runs the following
simple script:
?php
$success = 0;
$complete = $_POST['complete'];
if ($complete==1) {
if(chmod(./saved_files, 0100)) {
success = yes;
echo success=yes;
}
}
?
This script works and saved_files is set to chmod 0100, but here is
the problem. If I then navigate directly to the url of the uploaded
file by entering its path in my
browser(www.domain.com/flash8directory/saved_files/uploadedFile.jpg),
the uploaded file appears in my browser! However, if I then refresh
the browser I get the desired error message saying I do not have
permission to access that file. Also, other browser windows never
have access to view the uploaded file, only the browser from which the
file was uploaded.
Any thoughts on why I can view the uploaded file even though it has
been set to chmod 0100? I'd really rather not have those files
accessible to anyone, as an extra security layer.
Thank you for your help!
Andy
I don't quite understand why you cannot save to another catalog.
is www.myDomain.com yer actual directory name of merely the domain?
If either, login to yer domain and simply go either one step up, is that
possible?
You can also make use of a .htaccess file inside a sub directory to keep
others from it till you have checked the file, then move it out in the open
or delete after specifications.
Do you have access to /tmp ? That one is possible to use, in fact any system
wide directory writable by any/you is usable.
--
---
Børge
Kennel Arivene
http://www.arivene.net
---
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote: that as my root directory is simply www.myDomain.com and not .public_html/ and I am on a shared server where my root cannot be I got two words for you: Change Hosts -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
So pretty much there's nothing to be done about it? If I can get the chmod thing to make it so that you can't surf to your uploaded image afterwards and view it, I'd be happy with that solution. I'd like to stick with this host if I could. On 9/22/06, Richard Lynch [EMAIL PROTECTED] wrote: On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote: that as my root directory is simply www.myDomain.com and not .public_html/ and I am on a shared server where my root cannot be I got two words for you: Change Hosts -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
I may have hit send too soon... Like, when you do FTP, do you see: index.htm page2.htm page3.htm right away? *OR*, do you see: public_html And then you do cd public_html and THEN you see the files? If you don't do cd public_html then I really don't think accepting file uploads is a Good Idea, unless you have access to /tmp or something to put the files in... If you do cd public_html then you actually HAVE space outside your webtree. Just do mkdir uploads and chmod 777 uploads *BEFORE* you do cd public_html and you'll have an uploads dir outside the webtree where you can put stuff. NOTE: Some fancy FTP tools like DreamWeaver and whatnot will convince you to put public_html into some input box somewhere, to give you the convenience of not needing to cd public_html -- which then means you never *SEE* that you have space outside your webtree... Stop doing that. An extra click or whatever to get into public_html is not that big of a deal. On Fri, September 22, 2006 7:21 pm, Andy Hultgren wrote: So pretty much there's nothing to be done about it? If I can get the chmod thing to make it so that you can't surf to your uploaded image afterwards and view it, I'd be happy with that solution. I'd like to stick with this host if I could. On 9/22/06, Richard Lynch [EMAIL PROTECTED] wrote: On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote: that as my root directory is simply www.myDomain.com and not .public_html/ and I am on a shared server where my root cannot be I got two words for you: Change Hosts -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Security and chmod
For whatever reason when I ftp in using WinFtp I don't see public_html (it's hidden, don't know why; if I make a directory called .public_html it gets created and then disappears), but I can see my file structure from my host's website and so I know that when I ftp in to myDomain.com this is what is there: index.htm page1.htm page2.htm .public_html/ images/ etc. etc. Currently nothing is stored in my .public_html directory since it is not my root (and my website loads just fine when browsed to). I don't ftp in from DreamWeaver and it isn't an issue of going straight to public_html just to skip the cd step. public_html just isn't set up as my root directory and I have no directories accessable that are higher than my root. So, since I have no access to directories outside of my root, do you really think I should change that before allowing file uploads? (either by changing servers or just bugging my server adminstrator until he changes it). I currently check extension type and then image type using get_image_size(); and also files with image extensions are not executable on the server. However, from what I've read I understand that those steps are the minimum in terms of file upload security. Also, I'd be curious still to hear why I can browse to a file in a directory that has been set with chmod 0100. I really didn't expect that. Thanks again very much for your thoughts, Andy On 9/22/06, Richard Lynch [EMAIL PROTECTED] wrote: I may have hit send too soon... Like, when you do FTP, do you see: index.htm page2.htm page3.htm right away? *OR*, do you see: public_html And then you do cd public_html and THEN you see the files? If you don't do cd public_html then I really don't think accepting file uploads is a Good Idea, unless you have access to /tmp or something to put the files in... If you do cd public_html then you actually HAVE space outside your webtree. Just do mkdir uploads and chmod 777 uploads *BEFORE* you do cd public_html and you'll have an uploads dir outside the webtree where you can put stuff. NOTE: Some fancy FTP tools like DreamWeaver and whatnot will convince you to put public_html into some input box somewhere, to give you the convenience of not needing to cd public_html -- which then means you never *SEE* that you have space outside your webtree... Stop doing that. An extra click or whatever to get into public_html is not that big of a deal. On Fri, September 22, 2006 7:21 pm, Andy Hultgren wrote: So pretty much there's nothing to be done about it? If I can get the chmod thing to make it so that you can't surf to your uploaded image afterwards and view it, I'd be happy with that solution. I'd like to stick with this host if I could. On 9/22/06, Richard Lynch [EMAIL PROTECTED] wrote: On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote: that as my root directory is simply www.myDomain.com and not .public_html/ and I am on a shared server where my root cannot be I got two words for you: Change Hosts -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file Upload - checking file size before uploading
James Nunnerley schrieb: Is there anyway to check the size of a file before it starts uploading it? For instance, if the file is huge, and takes ages to upload, and is then rejected by the server, the user will be somewhat annoyed! I'm not even sure this is a php question! No you can't. Not with PHP. -- Smileys rule (cX.x)C --o(^_^o) Dance for me! ^(^_^)o (o^_^)o o(^_^)^ o(^_^o) -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] file Upload - checking file size before uploading
[snip] Is there anyway to check the size of a file before it starts uploading it? For instance, if the file is huge, and takes ages to upload, and is then rejected by the server, the user will be somewhat annoyed! [/snip] PHP is server-side and cannot check anything client-side. You cold use something client-side, like JavaScript, to check the file size and then deliver a warning if the file is too large. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file Upload - checking file size before uploading
On Wednesday 10 May 2006 13:39, Jay Blanchard wrote: [snip] Is there anyway to check the size of a file before it starts uploading it? For instance, if the file is huge, and takes ages to upload, and is then rejected by the server, the user will be somewhat annoyed! [/snip] PHP is server-side and cannot check anything client-side. You cold use something client-side, like JavaScript, to check the file size and then deliver a warning if the file is too large. Alternately ... This service only accepts files up to 10 MB. Uploading anything larger will fail. Assumes comprehension unfortunately. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file Upload - checking file size before uploading
James Nunnerley wrote: Is there anyway to check the size of a file before it starts uploading it? For instance, if the file is huge, and takes ages to upload, and is then rejected by the server, the user will be somewhat annoyed! I'm not even sure this is a php question! Nope not a PHP question. However you can set the max file size within the form tag of HTML. I forget the proper snytax and tag off the top of my head. I am not sure the error it spits out as I have never tested that. you can also use javascript or the like to check the file size. Bless Be Phillip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file Upload - checking file size before uploading
Jay Blanchard wrote: [snip] Is there anyway to check the size of a file before it starts uploading it? For instance, if the file is huge, and takes ages to upload, and is then rejected by the server, the user will be somewhat annoyed! [/snip] PHP is server-side and cannot check anything client-side. You cold use something client-side, like JavaScript, to check the file size and then deliver a warning if the file is too large. please, how do you do that with javascript - given the sandbox that javascript runs in which doesn't allow access to the file system (IE security bugs and v. special browser settings not with standing)? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file Upload - checking file size before uploading
On Wed, May 10, 2006 11:09 am, Phillip S. Baker wrote: James Nunnerley wrote: However you can set the max file size within the form tag of HTML. I forget the proper snytax and tag off the top of my head. I am not sure the error it spits out as I have never tested that. you can also use javascript or the like to check the file size. AFAIK, the browsers never did get around to using this to do anything useful with it... It is a weird sort of check, from those halcyon days when users didn't do things like hack POST data to try and break your server... So, pretty much, it's a useless bit of cruft, really. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file Upload - checking file size before uploading
In your form uploading script:
# individual file size limit - in bytes (102400 bytes = 100KB)
$file_size_ind = 838860800; // 819.2 MB
$weight=$_FILES[fileupload][size];
if ($weight$file_size_ind)
{
echobrimg src=\$dir_img/error.gif\ width=\15\
height=\15\nbsp;bfont size=\2\ERROR: please get the file size
less than .$file_size_ind. BYTES (.round(($file_size_ind/1024),2).
KB)/font/bbr»a href=\$_SERVER[PHP_SELF]\back/a;
}
James Nunnerley wrote:
Is there anyway to check the size of a file before it starts uploading it?
For instance, if the file is huge, and takes ages to upload, and is then
rejected by the server, the user will be somewhat annoyed!
I'm not even sure this is a php question!
Cheers
Nunners
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file Upload - checking file size before uploading
Wolf wrote:
In your form uploading script:
# individual file size limit - in bytes (102400 bytes = 100KB)
$file_size_ind = 838860800; // 819.2 MB
$weight=$_FILES[fileupload][size];
if ($weight$file_size_ind)
{
echobrimg src=\$dir_img/error.gif\ width=\15\
height=\15\nbsp;bfont size=\2\ERROR: please get the file size
less than .$file_size_ind. BYTES (.round(($file_size_ind/1024),2).
KB)/font/bbr»a href=\$_SERVER[PHP_SELF]\back/a;
}
That has already attempted to upload the file to the server.. which is
what the OP didn't want.
Would be handy to be able to do this but *shrug*..
--
Postgresql php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file Upload - checking file size before uploading
True, but it checks it at the first attempt to upload, not when the file
is done or partially uploaded. Granted, not what the OP asked for
exactly, but better then what he has now and better then spending more
time looking...
Wolf
Chris wrote:
Wolf wrote:
In your form uploading script:
# individual file size limit - in bytes (102400 bytes = 100KB)
$file_size_ind = 838860800; // 819.2 MB
$weight=$_FILES[fileupload][size];
if ($weight$file_size_ind)
{
echobrimg src=\$dir_img/error.gif\ width=\15\
height=\15\nbsp;bfont size=\2\ERROR: please get the file size
less than .$file_size_ind. BYTES (.round(($file_size_ind/1024),2).
KB)/font/bbr»a href=\$_SERVER[PHP_SELF]\back/a;
}
That has already attempted to upload the file to the server.. which is
what the OP didn't want.
Would be handy to be able to do this but *shrug*..
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload
I might have asked this already but I am still ignorent ;-) How to check if a same name file already exists in a upload directory when uploading new file? Use the appropriately named file_exists() function. L. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] file upload
How to check if a same name file already exists in a upload directory when uploading new file? Use the file_exists() function (oddly named, I know). http://us4.php.net/manual/en/function.file-exists.php -M -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload
On Mon, 2005-04-04 at 17:07 +0300, William Stokes wrote: Hello, I might have asked this already but I am still ignorent ;-) How to check if a same name file already exists in a upload directory when uploading new file? Thanks -Will http://www.php.net/file_exists -Robby -- /*** * Robby Russell | Owner.Developer.Geek * PLANET ARGON | www.planetargon.com * Portland, OR | [EMAIL PROTECTED] * 503.351.4730 | blog.planetargon.com * PHP, Ruby, and PostgreSQL Development * http://www.robbyonrails.com/ / -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload
William Stokes wrote: Okl I can't reverse engineer that... I just need to know how to set the path. now I have it like this and it wont work. $fileame comes from a form. if (copy($filename, /imagedir/ . $filename_name)) print H2upload succesful!/H2; Don't use copy(), use move_uploaded_file() See http://www.php.net/manual/en/features.file-upload.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload
http://www.hotscripts.com/Detailed/24113.html take a look at this.. perhaps you can reverse engineer it William Stokes [EMAIL PROTECTED] 24/03/2005 09:18 To php-general@lists.php.net cc Subject [PHP] file upload Hello, I'm (slowly) learning how to make a file upload stuff with php. Now I would like to know how to define the servers upload directory in the code? For example I have the upload script in folder /www in the www.domain.com server and I want upload the files to /www/uploads folder. So how do write the path in the php script? Thanks -Will -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload
Okl I can't reverse engineer that... I just need to know how to set the path. now I have it like this and it wont work. $fileame comes from a form. if (copy($filename, /imagedir/ . $filename_name)) print H2upload succesful!/H2; Tristan Pretty [EMAIL PROTECTED] kirjoitti viestissä:[EMAIL PROTECTED] http://www.hotscripts.com/Detailed/24113.html take a look at this.. perhaps you can reverse engineer it William Stokes [EMAIL PROTECTED] 24/03/2005 09:18 To php-general@lists.php.net cc Subject [PHP] file upload Hello, I'm (slowly) learning how to make a file upload stuff with php. Now I would like to know how to define the servers upload directory in the code? For example I have the upload script in folder /www in the www.domain.com server and I want upload the files to /www/uploads folder. So how do write the path in the php script? Thanks -Will -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload
Never mind. I got that sorted out! Thanks anyway... -Will William Stokes [EMAIL PROTECTED] kirjoitti viestissä:[EMAIL PROTECTED] Okl I can't reverse engineer that... I just need to know how to set the path. now I have it like this and it wont work. $fileame comes from a form. if (copy($filename, /imagedir/ . $filename_name)) print H2upload succesful!/H2; Tristan Pretty [EMAIL PROTECTED] kirjoitti viestissä:[EMAIL PROTECTED] http://www.hotscripts.com/Detailed/24113.html take a look at this.. perhaps you can reverse engineer it William Stokes [EMAIL PROTECTED] 24/03/2005 09:18 To php-general@lists.php.net cc Subject [PHP] file upload Hello, I'm (slowly) learning how to make a file upload stuff with php. Now I would like to know how to define the servers upload directory in the code? For example I have the upload script in folder /www in the www.domain.com server and I want upload the files to /www/uploads folder. So how do write the path in the php script? Thanks -Will -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File upload, suid directory and temporary dir
ADNET Ghislain wrote: upload_tmp_dir/www/htdocs/upload /no value/ ^^^ / / *THIS* is the one that matters -+ Somehow, you are OVER-RIDING your php.ini in either .htaccess or your PHP source to set this upload_tmp_dir to a blank, or an invalid directory or... Or, perhaps, your suid bit setting is making PHP nervous, and it's deciding to not use that directory, so then it reverts to the default when you do the upload. So PHP is reading the php.ini, setting the value, then over-riding it somewhere/somehow locally in an .htaccess or something. Hope that helps.` -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File upload, suid directory and temporary dir
ADNET Ghislain wrote: I am trying to make upload files to belong to the ftp user of the website and not the apache user. As i run in module i tried to do this: 1/ create a temp dir on the website outside the documentroot, chown the temp dir to my ftp user and allow the group to write,, put the same group as the webserver on the tmp dir too. 2/ then chmod u+s it (so with suid on the directory) and at the end i put my upload_tmp_dir setting to this directory. I was quite sure it would solve the issue BUT ... (there is allway a BUT... ;) when i run the simple script at php.net it gives me this output : -- File is valid, and was successfully uploaded. Here is some more debugging info:Array ( [userfile] = Array ( [name] = afnic-adherent-200x80.gif [type] = image/gif [tmp_name] = /var/tmp/php2L6xR7 [error] = 0 [size] = 17710 ) ) You see : [tmp_name] = /var/tmp/php2L6xR7 and the file belong to the apache user... not the ftp one :( So really i wonder if anyone found a solution to this problem, or can explain me why this setup fails ? Apache was still the user that created the file, and therefore it will belong to Apache until somebody does a 'chown' on the file. Only the superuser can 'chown' a file. Thus, you will need a sudo script of some kind to do the chown, or some way to let the FTP user create the file, then the Apache user's data to go in it. So, some options: 1. Write a cron job as root to chown ftp:ftp /var/tmp/php* This has the severe down-side of maybe someday changing stuff you *WANT* to be owned by Apache. 2. Let Apache move the files somewhere else, like, say: /var/to_ftp/ and then do #1 above. 3. When a file is uploaded, have PHP be able to execute a shell command that has the FTP user create a temp file, writable by Apache, and then Apache can copy its temp file to the FTP temp file by doing fopen/fwrite/fclose. It will still be owned by FTP user, but Apache can fill it up with whatever data it wants. You should add some serious sanity checking on the data when you READ these files, however, if you have untrusted users on the system. Or a routine audit/sweep of all these files to be SURE they are kosher, or... 4. Provide a shell script which allows the Apache user to chown *ONLY* files within /var/tmp, and *ONLY* files that start with 'php' and then Apache can chown the files to the FTP user. Don't give Apache free rein to chown any old file it wants! [shudder] 5. Easiest: Let Apache move_uploaded_file somewhere, and make it readable by FTP user. Have FTP user copy over files from the Apache storage space. When the FTP user creates the new file, it will be owned by the FTP user. Again, you want to put some controls/checks on this to be sure it's not abused. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload error
Thanks for the replies. My manual was out of date, not that it would have made any difference to this anyway as . upload_tmp_dir variable was correctly set in the php.ini file, and I'd restarted the web server several times. It seems however that the file is getting cached somehow, and is not re-read until I restart the entire box. Anyone out there know why this may be, or a slightly better way of getting around it than rebooting? (By the way, the upload functionality is fine after the reboot :)) Ta Tom Marek Kilimajer wrote: Tom wrote: Hi I have a very simple file upload form and script to handle it (copied verbatim from the php manual, except for the file target location and the script name). However, it always fails, with an error code in the _FILE array or 6. Does anyone know what this error is or what I am likely to have set wrong? All that I can find in the docs are errors from 0 to 4 :-( It's there: http://sk.php.net/manual/en/features.file-upload.errors.php UPLOAD_ERR_NO_TMP_DIR Value: 6; Missing a temporary folder. Introduced in PHP 4.3.10 and PHP 5.0.3. Note: These became PHP constants in PHP 4.3.0. Set the correct upload_tmp_dir in php.ini and restart webserver -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload error
Tom wrote: Thanks for the replies. My manual was out of date, not that it would have made any difference to this anyway as . upload_tmp_dir variable was correctly set in the php.ini file, and I'd restarted the web server several times. It seems however that the file is getting cached somehow, and is not re-read until I restart the entire box. Anyone out there know why this may be, or a slightly better way of getting around it than rebooting? (By the way, the upload functionality is fine after the reboot :)) Several possibilities here... First, you can ERADICATE the idea that the file was getting cached, at least by Apache or PHP. Maybe you've got something really funky in your file-system to cache it, but that's also incredibly unlikely. On to the possible scenarios: 1. You only *THOUGHT* you re-started Apache, but the script you use to stop/start Apache, or Apache itself, failed to inform you that it didn't stop and then start correctly. 2. You *DID* re-start Apache, but the script you used is telling Apache to read a DIFFERENT httpd.conf from the one that gets read by your boot processing script (/etc/rc.init/[apache|httpd] probably, on Linux). That different httpd.conf, in turn, points to a DIFFERENT php.ini and/or mod_php.so getting loaded, so the php.ini you *thought* was getting re-loaded when you restarted Apache, was not the one really getting loaded. You can easily confirm/deny #2 by looking at ?php phpinfo();? after a re-boot, then re-starting Apache, then looking at ?php phpinfo();? again. The same php.ini file should be listed near the top in both cases, or you'll quickly find out which php.ini file[s] are being read. For #1, you can try your Apache re-start again, and use http://localhost/server-status (or is that server_status) to see Apache's up-time, if you have mod_status installed. Or you could use ps auxwww | grep httpd to see how long Apache has been runing. Or maybe use top to find out if you really really re-started Apache. Hopefully, this is a development machine so you can re-start and re-boot as needed to track down what is or isn't happening. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File upload difference between browsers
Graham Cossey wrote:
The problem is that I want to ensure that the file being uploaded is a
CSV file, so I test the $_FILES['file']['type'] value.
That only ensures that somebody else can forge the type header being sent
to you.
Anybody with half a clue (okay, a clue and a half) could do that:
telnet example.com 80
POST /your_form.php HTTP/1.1
Host: example.com
Content-type: text/comma-separated-values
INSERT FAVORITE TROJAN WORM HERE
So it's pretty useless as a security measure...
In Firefox IE it is returned as application/octet-stream but in
Opera it is returned as text/comma-separated-values, the latter
being what I would expect.
Plus, as you have discovered, the browser manufacturers have absolutely no
concept of standards when it comes to setting Content-type: on an
uploaded file.
Can anyone offer some advice on how I can reliably test for a valid CSV
file?
Actually, you're very lucky on this one, in that you can use
http://php.net/fgetcsv on it, repeatedly, and either PHP has an error, or
PHP doesn't, and then you KNOW it parses as a valid CSV file, from
beginning to end.
So, what you *MIGHT* do would be something like this:
?php
.
.
.
flush();
ob_start();
$old_reporting = error_reportin(E_ALL | E_STRICT);
$csv = fopen($_FILES['file']['tmpname']) or print(ERROR: could not open
. $_FILES['file']['tmpname']);
if ($csv){
while (!feof($csv)){
$line = fgetcsv($csv, 100); //Lose the 100 in PHP 5
}
}
$php_output = ob_get_clean();
if (stristr($php_output, 'Error') || stristr($php_output, 'Warning') ||
stristr($php_output, 'Notice')){
//NOT a valid CSV file
}
else{
//CSV file is valid
}
//play nice, and set it back to what it was.
error_reporting($old_reporting);
?
You may not be able to READ $_FILE['file']['tmpname'], so you'd have to
move_uploaded_file() it to a staging area first, and then read that.
You might want to play around with the error_reporting setting a bit, and
a bunch of CSV test files from different sources.
You may want to rule that ANY output (strlen($php_output)) is indicative
of an error, rather than checking for 'Error' 'Warning' 'Notice' as I
did... In fact, that would probably be better.
If the files might be large, you may want to cache the CSV data you read,
and then you can use it later in your script, after you've read the whole
thing in and you know it's kosher... Course, if it's REALLY large, you'll
want to cache that in something like a temp table in MySQL or something,
just so you won't fill up RAM with some monster Array in PHP...
For a small CSV file, it really won't matter that much if you read it
twice -- It will probably be in the File System cache for you anyway,
depending on server load.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File upload difference between browsers
Graham Cossey wrote: I have a problem uploading a file in IE6 or Firefox1.0 but it works fine using Opera7.54. The problem is that I want to ensure that the file being uploaded is a CSV file, so I test the $_FILES['file']['type'] value. In Firefox IE it is returned as application/octet-stream but in Opera it is returned as text/comma-separated-values, the latter being what I would expect. The posting form has: enctype=multipart/form-data Can anyone offer some advice on how I can reliably test for a valid CSV file? (At least I have some security built-in, in so much as you have to use Opera to upload files !!) In Mozilla, you can go to Preferences - Naviator - Helper Applications. Then click New Type, fill in MIME type, description and extension, and that should be it. And then ask everyone to do that :) Or better don't rely on client supplied values. You can use mime_content_type() to find out the real mime type. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload error
Tom wrote: Hi I have a very simple file upload form and script to handle it (copied verbatim from the php manual, except for the file target location and the script name). However, it always fails, with an error code in the _FILE array or 6. Does anyone know what this error is or what I am likely to have set wrong? All that I can find in the docs are errors from 0 to 4 :-( It's there: http://sk.php.net/manual/en/features.file-upload.errors.php UPLOAD_ERR_NO_TMP_DIR Value: 6; Missing a temporary folder. Introduced in PHP 4.3.10 and PHP 5.0.3. Note: These became PHP constants in PHP 4.3.0. Set the correct upload_tmp_dir in php.ini and restart webserver -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload
akshay wrote: Hi all, I hv problem while file upload. I hv one server and multiple client. I want to upload a file from Server to client. how this is possible in PHP This is usualy called download. Is this what you want? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload
On Thu, 20 Jan 2005 12:26:07 +0100, Marek Kilimajer [EMAIL PROTECTED] wrote:
akshay wrote:
Hi all,
I hv problem while file upload.
I hv one server and multiple client.
I want to upload a file from Server to client.
how this is possible in PHP
This is usualy called download. Is this what you want?
yeah. if that's what u're trying, check out the manual page on
fsockopen: http://php.net/function.fsockopen
the first example will give u an idea of what to do.
[code]
?php
$fp = fsockopen(www.example.com, 80, $errno, $errstr, 30);
if (!$fp) {
echo $errstr ($errno)br /\n;
} else {
$out = GET / HTTP/1.1\r\n;
$out .= Host: www.example.com\r\n;
$out .= Connection: Close\r\n\r\n;
fwrite($fp, $out);
while (!feof($fp)) {
echo fgets($fp, 128);
}
fclose($fp);
}
?
[/code]
the 02-Dec-2004 01:50 comment is also useful.
anirudh
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload
Anirudh Dutt wrote:
On Thu, 20 Jan 2005 12:26:07 +0100, Marek Kilimajer [EMAIL PROTECTED] wrote:
akshay wrote:
Hi all,
I hv problem while file upload.
I hv one server and multiple client.
I want to upload a file from Server to client.
how this is possible in PHP
This is usualy called download. Is this what you want?
yeah. if that's what u're trying, check out the manual page on
fsockopen: http://php.net/function.fsockopen
the first example will give u an idea of what to do.
[code]
?php
$fp = fsockopen(www.example.com, 80, $errno, $errstr, 30);
if (!$fp) {
echo $errstr ($errno)br /\n;
} else {
$out = GET / HTTP/1.1\r\n;
$out .= Host: www.example.com\r\n;
$out .= Connection: Close\r\n\r\n;
fwrite($fp, $out);
while (!feof($fp)) {
echo fgets($fp, 128);
}
fclose($fp);
}
?
[/code]
the 02-Dec-2004 01:50 comment is also useful.
anirudh
what you're doing is server = server
What the akshay wants is server = client
The only not yet posted other options are client = client (which is
essentially impossible with PHP, unless you use the server=server
setup) and client = server (which is called uploading)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] file upload
On Thu, 20 Jan 2005 13:30:35 +0100, M. Sokolewicz [EMAIL PROTECTED] wrote: what you're doing is server = server What the akshay wants is server = client The only not yet posted other options are client = client (which is essentially impossible with PHP, unless you use the server=server setup) and client = server (which is called uploading) right. i assumed he wanted to do something like get a file from another server and then send/display it to the client (news picker for a feed or comic strip ripper). if the file is on the same server, then a simple download would do ;-) or if the script's gonna generate data dynamically, then it would have to send the Content-Disposition, Pragma, etc. headers. @akshay: the headers to be sent differ for normal browsers and IE. anirudh -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] File Upload Problem
Wayne Donaho wrote: I am trying to run a file upload using PHP as a CGI script and am running into an odd error. The error I am getting is the dreaded Server Error -- Error 500 Premature end of script headers: php.cgi Some more analysis ideas: On the very first line of your script, print out something and call http://php.net/flush and then exit;. Or is that what your it ran script does? Just want to be sure you have the exit; in there to be SURE it's a server configuration error, and not something actually in your script to kill PHP/CGI/Apache-child. Check httpd.conf settings -- Perhaps you specifically disallowed certain kinds of HTTP requests there... I have no idea *how* you can do this, or if you can do this, but I hypothesize that it's possible to be done, so maybe you did it. I know you can disallow GET and/or POST etc, but not sure you can fine-tune it down to mime-type or not. It's up to you to figure out if this can be done, and if you've done it in httpd.conf or not. Possibly also in .htaccess, also. See if you can trigger the problem with *other* valid types of ENCTYPE -- The one used in the ubiquitous PostToHost function comes to mind. If you can determine that it's more than just multipart/form-data, and also include, say, 'application/x-www-form-urlencoded' then it may help identify the source or the problem. For fun, take out the suexec on your development server and prove, once and for all, that it's not related to suexec. Since you've already tried so many other things, compile PHP without *ANY* of the extra stuff. No payfloPRO. No GD. No zlib. No jpeg. No xpm. No curl. No nothin' but --with-cgi (or whatever it is). Just to eliminate other software from the picture of possible culprits. Are you doing any of this through SSL? You don't really say, but you've got SSL in the ./configure... Try it without SSL, of course, if you've only tried with SSL so far. Don't see how it could help, but error_reporting E_ALL is always a Good Idea. :-) Here is the diagnosis I have done. 1. The php.cgi executable deals with scripts correctly when using the GET method. 2. The php.cgi script deals with POST method requests properly when the enctype is NOT multipart/form-data This rules out suexec type errors. (in any case the suexec log shows everything is good). 3. File uploads using the mod_php work fine (this rules out apache not accepting the file) 4. the CGI log shows the request being sent to the script, and that there is no result. 5. The above error is not script dependent, the error occurs with a on-line script that prints the string it ran when the form enctype is multipart/form-data. 6. The upload script is being taken from a different box running different versions of apache/php and the script works correctly there. I have tried this with various version of php all with the same results. I have built it with php.4.3.10. Here are the configure options from the phpinfo report: './configure' '--enable-force-cgi-redirect' '--with-openssl' '--with-curl' '--with-mysql' '--with-cgi' '--with-pfpro=/home/wayne/verisign/payflowpro/linuxrh9' '--with-gd' '--with-jpeg-dir' '--with-zlib-dir' '--with-xpm-dir' '--with-freetype-dir' '--enable-ftp' I have the following file variables set: error_reporting 2039 file_uploads On log_errors On max_input_time -1 post_max_size 8M safe_mode off upload_max_filesize 2M upload_tmp_dir /tmp -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
