Re: [PHP] File Upload MultiPart

2013-02-24 Thread tamouse mailing lists 
On Sun, Feb 24, 2013 at 1:07 PM,   wrote:
> Hello,
>
> I have been looking how to upload big files more than 1GB , with php but it
> doesn't work well. I guess php POST multipart method is to memory consuming.
> Is there a way , like in the apache.commons to catch the stream and handle
> it ?
> I've looked at the rfc1867.c file implementation and it seems that this is
> where the memory goes really up. Is there a way we could change this ?
>
> Kind Regards
> Wim
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

Although loathe to respond to someone listed as "user@domain.local"...

Maybe look at 
http://stackoverflow.com/questions/10961538/uploading-very-large-files-5gb-to-15gb

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Problem

2011-04-06 Thread Daniel Brown 
On Wed, Apr 6, 2011 at 13:10, tedd  wrote:
> Hi gang:
>
> I wrote a simple script to upload image files from my desktop to a server --
> the exact same code works on two servers, but fails on a third.
>
> I suspect there is something set different between the servers, but I can't
> find it.
>
> Oddly enough, I can upload image files directly to the database, but not to
> the file system.
>
> What could be wrong? What should I be looking for?

Are file uploads enabled and is the size of the file less than the
upload size limitation?  Is the disk or partition to which the
temporary files are being uploaded out of space, whereas the database
- perhaps on a different physical disk or partition - still has
sufficient free space?  Are you sure the user as which the web server
(presumably Apache) runs has permission to write to the temporary and
target directory?  Is the account near or at its disk quota?

-- 

Network Infrastructure Manager
http://www.php.net/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Problem

2011-04-06 Thread Bastien Koert 
On Wed, Apr 6, 2011 at 1:10 PM, tedd  wrote:
> Hi gang:
>
> I wrote a simple script to upload image files from my desktop to a server --
> the exact same code works on two servers, but fails on a third.
>
> I suspect there is something set different between the servers, but I can't
> find it.
>
> Oddly enough, I can upload image files directly to the database, but not to
> the file system.
>
> What could be wrong? What should I be looking for?
>
> Cheers,
>
> tedd
>
> --
> ---
> http://sperling.com/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

check out the max post size

-- 

Bastien

Cat, the other other white meat

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload utility ?

2011-02-07 Thread Daniel Brown 
On Mon, Feb 7, 2011 at 11:03, Frank Bonnet  wrote:
> I found nothing that's why I wrote this !!!

My point is, you only told everyone what you're trying to do.  Not
once did you ask a question or mention where you're seeking guidance,
other than your ambivalence on file uploads and distribution.  The
ambiguous nature of your expression makes it even more difficult: you
want a utility, not help in authoring it in PHP.  This is a PHP
programming mailing list for peer-to-peer support by members of the
community, not a "tell me the name of software I can download to do
this job" group.

-- 

Network Infrastructure Manager
Documentation, Webmaster Teams
http://www.php.net/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload utility ?

2011-02-07 Thread Jim Lucas 
On 2/7/2011 8:03 AM, Frank Bonnet wrote:
> On 02/07/2011 05:01 PM, Daniel Brown wrote:
>> On Mon, Feb 7, 2011 at 10:56, Frank Bonnet  wrote:
>>> Hello
>>>
>>> I'm searching for a utility that let our users upload a file
>>> on a server , then generate a temporary link that point
>>> to the real file.
>>>
>>> As this is for internal use we don't need security, the file
>>> can be read by anyone.
>>>
>>> The goal is to distribute the file to our users by sending
>>> them an email containing the address of the http temporary
>>> link instead of sending it as an email attachement X 1000 ...
>>  Sounds great.  Good luck in your Google search.
>>
> I found nothing that's why I wrote this !!!
> 
> 
> 

Frank,

Not sure what words you used, here was mine

php file upload examples

Those words resulted in these two at the top of the list

http://www.tizag.com/phpT/fileupload.php
http://www.w3schools.com/PHP/php_file_upload.asp

I briefly read each of them and they are sufficient for what you are trying to
do.  All you have to do is tie in the email portion and that's that.

So, again, to google, I typed these wonderful words of wisdom.

php email example

The first result was this

http://www.w3schools.com/PHP/php_mail.asp

This will get you a very simple email script working.  Personally, I would not
do it this way, but since you mention that this will be all internal, it will
probably do just fine.  If you want a little more control over the email or plan
to use this to send email to outside recipients, I would recommend doing it
differently.

phpmailer

Download that package, then follow its tutorials on how to set it up and send
emails.

phpmailer examples

The first result is this

http://phpmailer.worxware.com/index.php?pg=examples

It has a variety of examples that should cover almost any scenario you can
possibly think of.

Just one thing, do not try and be a cut/paste god here.  Actually take time to
read the examples and understand what they do before you put them into 
production.

This will now end my "How to use Google" segment for the day.

Jim Lucas

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload utility ?

2011-02-07 Thread Ashley Sheridan 
"Frank Bonnet"  wrote:

>On 02/07/2011 05:01 PM, Daniel Brown wrote:
>> On Mon, Feb 7, 2011 at 10:56, Frank Bonnet  wrote:
>>> Hello
>>>
>>> I'm searching for a utility that let our users upload a file
>>> on a server , then generate a temporary link that point
>>> to the real file.
>>>
>>> As this is for internal use we don't need security, the file
>>> can be read by anyone.
>>>
>>> The goal is to distribute the file to our users by sending
>>> them an email containing the address of the http temporary
>>> link instead of sending it as an email attachement X 1000 ...
>>  Sounds great.  Good luck in your Google search.
>>
>I found nothing that's why I wrote this !!!
>
>
>
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php

Try googling for the following bits:

File upload form
move_uploaded_file()
file_get_contents()

That will get you going, then if you have written a script and get stuck then 
you can ask us on specifics here. We don't write whole code for you.


Thanks
Ash
http://www.ashleysheridan.co.uk
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload utility ?

2011-02-07 Thread Frank Bonnet 

On 02/07/2011 05:01 PM, Daniel Brown wrote:

On Mon, Feb 7, 2011 at 10:56, Frank Bonnet  wrote:

Hello

I'm searching for a utility that let our users upload a file
on a server , then generate a temporary link that point
to the real file.

As this is for internal use we don't need security, the file
can be read by anyone.

The goal is to distribute the file to our users by sending
them an email containing the address of the http temporary
link instead of sending it as an email attachement X 1000 ...

 Sounds great.  Good luck in your Google search.


I found nothing that's why I wrote this !!!



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload utility ?

2011-02-07 Thread Daniel Brown 
On Mon, Feb 7, 2011 at 10:56, Frank Bonnet  wrote:
> Hello
>
> I'm searching for a utility that let our users upload a file
> on a server , then generate a temporary link that point
> to the real file.
>
> As this is for internal use we don't need security, the file
> can be read by anyone.
>
> The goal is to distribute the file to our users by sending
> them an email containing the address of the http temporary
> link instead of sending it as an email attachement X 1000 ...

Sounds great.  Good luck in your Google search.

-- 

Network Infrastructure Manager
Documentation, Webmaster Teams
http://www.php.net/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File-Upload per Drag-N-Drop?

2011-01-05 Thread tedd 

At 7:23 PM +0100 12/29/10, Michelle Konzack wrote:

Hello,

my users have an Online-File-Store with nearly anything  they  need  but
one feature is missing:  Drag-D-Drop.

I like to implement Drag-D-Drop so users can Drag a file  from  a  File-
Manager and Drop it on the Upload-Icon in my Webinterface.

Can someone tell me HOW THIS WORKS?


It works on the client-side and only IF the user allows javascript to 
be turned on.


This is a php list -- I suggest that you post this question to a 
javascript list or even jQuery (Google it).


Cheers,

tedd

--
---
http://sperling.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File-Upload per Drag-N-Drop?

2010-12-30 Thread Paul M Foster 
On Wed, Dec 29, 2010 at 07:23:25PM +0100, Michelle Konzack wrote:

> Hello,
> 
> my users have an Online-File-Store with nearly anything  they  need  but
> one feature is missing:  Drag-D-Drop.
> 
> I like to implement Drag-D-Drop so users can Drag a file  from  a  File-
> Manager and Drop it on the Upload-Icon in my Webinterface.
> 
> Can someone tell me HOW THIS WORKS?

This is a client-side question. Javascript can handle drag-n-drop;
WordPress does this in its site administration screens. However, it does
not do it from a file manager window.

In any case, this is a client side, not a PHP question.

Paul

-- 
Paul M. Foster
http://noferblatz.com


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File-Upload per Drag-N-Drop?

2010-12-29 Thread a...@ashleysheridan.co.uk 
On a slight tangent, but is that signature why I'm not able to read any of 
michelles emails on my phone? For some reason, only her emails get stuck and 
won't download, so I have to wait til someone else replies.

To answer the question on this, I've not yet seen a cross platform answer to 
this question; only several different platform dependent solutions from one 
vendor to handle each main OS.

Thanks,
Ash
http://www.ashleysheridan.co.uk

- Reply message -
From: "Michael Shadle" 
Date: Wed, Dec 29, 2010 21:38
Subject: [PHP] File-Upload per Drag-N-Drop?
To: "Michelle Konzack" 
Cc: "PHP - General" 


On Wed, Dec 29, 2010 at 10:30 AM, Daniel P. Brown
 wrote:

>    That's more of a frontend question to which you and your
> six-million-line signature should check Google to find the answer.
> Don't get me wrong, Michelle, we've always tried to help out even with
> off-topic questions, but this is really pushing it a bit too far with
> all of the non-PHP questions you've been asking lately.

a) +1 - this isn't php-general anymore this feels like
michelle-development-requests (with a horribly long signature) - but I
don't mean to be harsh.

b) HTML5 should be what you want, at some point very soon.

Silverlight isn't fully cross platform
Java is your most universal applet language
fFash has odd issues, but would be second best
but HTML5, that's going to address it all.

Google for "plupload" it has all the different upload applet types and
tries to determine which one will be best for you. has the client side
and server side pieces included.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File-Upload per Drag-N-Drop?

2010-12-29 Thread Michael Shadle 
On Wed, Dec 29, 2010 at 10:30 AM, Daniel P. Brown
 wrote:

>    That's more of a frontend question to which you and your
> six-million-line signature should check Google to find the answer.
> Don't get me wrong, Michelle, we've always tried to help out even with
> off-topic questions, but this is really pushing it a bit too far with
> all of the non-PHP questions you've been asking lately.

a) +1 - this isn't php-general anymore this feels like
michelle-development-requests (with a horribly long signature) - but I
don't mean to be harsh.

b) HTML5 should be what you want, at some point very soon.

Silverlight isn't fully cross platform
Java is your most universal applet language
fFash has odd issues, but would be second best
but HTML5, that's going to address it all.

Google for "plupload" it has all the different upload applet types and
tries to determine which one will be best for you. has the client side
and server side pieces included.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] File-Upload per Drag-N-Drop?

2010-12-29 Thread Tommy Pham 
> -Original Message-
> From: Michelle Konzack [mailto:linux4miche...@tamay-dogan.net]
> Sent: Wednesday, December 29, 2010 10:23 AM
> To: PHP - General
> Subject: [PHP] File-Upload per Drag-N-Drop?
> 
> Hello,
> 
> my users have an Online-File-Store with nearly anything  they  need  but
> one feature is missing:  Drag-D-Drop.
> 
> I like to implement Drag-D-Drop so users can Drag a file  from  a  File-
> Manager and Drop it on the Upload-Icon in my Webinterface.
> 
> Can someone tell me HOW THIS WORKS?
> 

This sounds like RIA = Rich Internet Application.  Try google'ing for it.
YMMV depends on platform & technology supported.

Regards,
Tommy

> Thanks, Greetings and nice Day/Evening
> Michelle Konzack
> 
> --
> # Debian GNU/Linux Consultant
> ##
>Development of Intranet and Embedded Systems with Debian GNU/Linux
> 
> itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
> Owner Michelle KonzackOwner Michelle Konzack
> 
> Apt. 917 (homeoffice)
> 50, rue de Soultz Kinzigstraße 17
> 67100 Strasbourg/France   77694 Kehl/Germany
> Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
> Tel: +33-9-52705884 fix
> 
> 
> 
>  
> 
> Jabber linux4miche...@jabber.ccc.de
> 
> Linux-User #280138 with the Linux Counter, http://counter.li.org/


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File-Upload per Drag-N-Drop?

2010-12-29 Thread Daniel P. Brown 
On Wed, Dec 29, 2010 at 13:23, Michelle Konzack
 wrote:
> Hello,
>
> my users have an Online-File-Store with nearly anything  they  need  but
> one feature is missing:  Drag-D-Drop.
>
> I like to implement Drag-D-Drop so users can Drag a file  from  a  File-
> Manager and Drop it on the Upload-Icon in my Webinterface.
>
> Can someone tell me HOW THIS WORKS?

That's more of a frontend question to which you and your
six-million-line signature should check Google to find the answer.
Don't get me wrong, Michelle, we've always tried to help out even with
off-topic questions, but this is really pushing it a bit too far with
all of the non-PHP questions you've been asking lately.

-- 

Dedicated Servers, Cloud and Cloud Hybrid Solutions, VPS, Hosting
(866-) 725-4321
http://www.parasane.net/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload

2010-01-30 Thread Ashley Sheridan 
On Sat, 2010-01-30 at 14:40 +0100, Ali Reza Sajedi wrote:

> Thank you for your replys.
> 
> In php.ini  upload_tmp_dir is not set, so that the system should use its 
> default tmp folder.
> 
> It used to work properly. But, after a system update from centos5.3 to 
> centos5.4 this malfunction is now observed.
> 
> Any idea?
> 
> Kind regards
> 
> Ali
> 
>  
>   - Original Message - 
>   From: Eric Lee 
>   To: Ali Reza Sajedi 
>   Cc: phpList list 
>   Sent: Saturday, January 30, 2010 1:21 PM
>   Subject: Re: [PHP] File Upload
> 
> 
> 
> 
> 
>   On Sat, Jan 30, 2010 at 7:27 PM, Ali Reza Sajedi  
> wrote:
> 
> Hello,
> 
> When uploading a file the variable $_FILES['userfile']['tmp_name'] is not 
> set and when debugging I get the following error although /tmp folder exists 
> and the permissions are set to 777:
> 
> $_FILES['userfile']['error'] = 6
> 
> which says
> 
> UPLOAD_ERR_NO_TMP_DIR
> Value: 6; Missing a temporary folder. Introduced in PHP 4.3.10 and PHP 
> 5.0.3.
> 
> Has anyone encountered such a problem or has a clue as to what the cause 
> could be?
> 
> 
> 
>   It might be the upload_tmp_dir no pointing to the right dir !
>   What is the current of it ?
> 
> 
> 
>   Regards,
>   Eric,
> 
> 
> 
> 
> Thank you.
> 
> Kind regards
> 
> Ali 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 
> 


The upgrade just changed the setting. If you set this in your php.ini,
it should work again.

Thanks,
Ash
http://www.ashleysheridan.co.uk

Re: [PHP] File Upload

2010-01-30 Thread Ali Reza Sajedi 
Thank you for your replys.

In php.ini  upload_tmp_dir is not set, so that the system should use its 
default tmp folder.

It used to work properly. But, after a system update from centos5.3 to 
centos5.4 this malfunction is now observed.

Any idea?

Kind regards

Ali

 
  - Original Message - 
  From: Eric Lee 
  To: Ali Reza Sajedi 
  Cc: phpList list 
  Sent: Saturday, January 30, 2010 1:21 PM
  Subject: Re: [PHP] File Upload





  On Sat, Jan 30, 2010 at 7:27 PM, Ali Reza Sajedi  
wrote:

Hello,

When uploading a file the variable $_FILES['userfile']['tmp_name'] is not 
set and when debugging I get the following error although /tmp folder exists 
and the permissions are set to 777:

$_FILES['userfile']['error'] = 6

which says

UPLOAD_ERR_NO_TMP_DIR
Value: 6; Missing a temporary folder. Introduced in PHP 4.3.10 and PHP 
5.0.3.

Has anyone encountered such a problem or has a clue as to what the cause 
could be?



  It might be the upload_tmp_dir no pointing to the right dir !
  What is the current of it ?



  Regards,
  Eric,




Thank you.

Kind regards

Ali 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload

2010-01-30 Thread Eric Lee 
On Sat, Jan 30, 2010 at 7:27 PM, Ali Reza Sajedi wrote:

> Hello,
>
> When uploading a file the variable $_FILES['userfile']['tmp_name'] is not
> set and when debugging I get the following error although /tmp folder exists
> and the permissions are set to 777:
>
> $_FILES['userfile']['error'] = 6
>
> which says
>
> UPLOAD_ERR_NO_TMP_DIR
> Value: 6; Missing a temporary folder. Introduced in PHP 4.3.10 and PHP
> 5.0.3.
>
> Has anyone encountered such a problem or has a clue as to what the cause
> could be?
>
>
It might be the upload_tmp_dir no pointing to the right dir !
What is the current of it ?



Regards,
Eric,



Thank you.
>
> Kind regards
>
> Ali
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Re: [PHP] File Upload

2010-01-30 Thread Kim Madsen 

Ali Reza Sajedi wrote on 30/01/2010 12:27:


UPLOAD_ERR_NO_TMP_DIR
Value: 6; Missing a temporary folder. Introduced in PHP 4.3.10 and PHP 
5.0.3.


Has anyone encountered such a problem or has a clue as to what the cause 
could be?


What does "print phpinfo()"; tell you about the upload_tmp_dir?

--
Kind regards
Kim Emax - masterminds.dk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File upload directive: $_FILES['filename']['name'] instead of $_FILES['filename']['tmp_name']

2009-12-26 Thread Richard Quadling 
2009/12/23 Andrei Iarus 
>
> Found the problem: I use Zend Framework, and after using a procedre, it is 
> automatically moved. :( Thanks very much, I thought it was a problem with 
> PHP, but from now on, it is a Zend Framework problem. Thanks again.
>
> --- On Wed, 12/23/09, Richard Quadling  wrote:
>
> From: Richard Quadling 
> Subject: Re: [PHP] File upload directive: $_FILES['filename']['name'] instead 
> of $_FILES['filename']['tmp_name']
> To: "Andrei Iarus" , "PHP General list" 
> 
> Date: Wednesday, December 23, 2009, 7:52 PM
>
> 2009/12/23 Andrei Iarus :
> > Of course: also tried the is_uploaded_file, exactly like in the manual. And
> > it fails.... :(
> >
> > --- On Wed, 12/23/09, Richard Quadling  wrote:
> >
> > From: Richard Quadling 
> > Subject: Re: [PHP] File upload directive: $_FILES['filename']['name']
> > instead of $_FILES['filename']['tmp_name']
> > To: "Andrei Iarus" 
> > Cc: php-general@lists.php.net
> > Date: Wednesday, December 23, 2009, 6:10 PM
> >
> > 2009/12/22 Andrei Iarus :
> >> Hello,
> >>
> >> On my production & testing servers (production runs on a centrino and
> >> testing runs on Windows) I can only access the temporary uploaded file 
> >> using
> >> ini_get( 'upload_tmp_dir' . '/' . $_FILES['filename']['name'];
> >> while the file $_FILES['filename']['tmp_name'] simply does not exist
> >> (checked with file_exists() function, and also looking in the temporary
> >> folder).
> >>
> >> Is there a problem with my PHP installations? Is there any directive to
> >> change this bihaviour?
> >>
> >> On production: PHP 5.2.10 and on testing: PHP 5.2.8 and 5.3.0
> >>
> >> Thanks in advance.
> >>
> >>
> >>
> >
> > 2 functions to get to grips with:
> >
> > 1 - is_uploaded_file()
> > 2 - move_uploaded_file()
> >
> > Example from http://php.net/is_uploaded_file
> >
> >  >
> > if (is_uploaded_file($_FILES['userfile']['tmp_name'])) {
> >    echo "File ". $_FILES['userfile']['name'] ." uploaded successfully.\n";
> >    echo "Displaying contents\n";
> >    readfile($_FILES['userfile']['tmp_name']);
> > } else {
> >    echo "Possible file upload attack: ";
> >    echo "filename '". $_FILES['userfile']['tmp_name'] . "'.";
> > }
> >
> > ?>
> >
> >
> > --
> > -
> > Richard Quadling
> > "Standing on the shoulders of some very clever giants!"
> > EE : http://www.experts-exchange.com/M_248814.html
> > Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
> > ZOPA : http://uk.zopa.com/member/RQuadling
> >
> >
>
> What version of Windows?
>
> Can you provide a really basic test?
>
> And a var_dump($_FILES) please?
>
> --
> -
> Richard Quadling
> "Standing on the shoulders of some very clever giants!"
> EE : http://www.experts-exchange.com/M_248814.html
> Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
> ZOPA : http://uk.zopa.com/member/RQuadling
>

Glad you got it worked out.

--
-
Richard Quadling
"Standing on the shoulders of some very clever giants!"
EE : http://www.experts-exchange.com/M_248814.html
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
ZOPA : http://uk.zopa.com/member/RQuadling

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File upload directive: $_FILES['filename']['name'] instead of $_FILES['filename']['tmp_name']

2009-12-23 Thread Richard Quadling 
2009/12/23 Andrei Iarus :
> Of course: also tried the is_uploaded_file, exactly like in the manual. And
> it fails :(
>
> --- On Wed, 12/23/09, Richard Quadling  wrote:
>
> From: Richard Quadling 
> Subject: Re: [PHP] File upload directive: $_FILES['filename']['name']
> instead of $_FILES['filename']['tmp_name']
> To: "Andrei Iarus" 
> Cc: php-general@lists.php.net
> Date: Wednesday, December 23, 2009, 6:10 PM
>
> 2009/12/22 Andrei Iarus :
>> Hello,
>>
>> On my production & testing servers (production runs on a centrino and
>> testing runs on Windows) I can only access the temporary uploaded file using
>> ini_get( 'upload_tmp_dir' . '/' . $_FILES['filename']['name'];
>> while the file $_FILES['filename']['tmp_name'] simply does not exist
>> (checked with file_exists() function, and also looking in the temporary
>> folder).
>>
>> Is there a problem with my PHP installations? Is there any directive to
>> change this bihaviour?
>>
>> On production: PHP 5.2.10 and on testing: PHP 5.2.8 and 5.3.0
>>
>> Thanks in advance.
>>
>>
>>
>
> 2 functions to get to grips with:
>
> 1 - is_uploaded_file()
> 2 - move_uploaded_file()
>
> Example from http://php.net/is_uploaded_file
>
> 
> if (is_uploaded_file($_FILES['userfile']['tmp_name'])) {
>    echo "File ". $_FILES['userfile']['name'] ." uploaded successfully.\n";
>    echo "Displaying contents\n";
>    readfile($_FILES['userfile']['tmp_name']);
> } else {
>    echo "Possible file upload attack: ";
>    echo "filename '". $_FILES['userfile']['tmp_name'] . "'.";
> }
>
> ?>
>
>
> --
> -
> Richard Quadling
> "Standing on the shoulders of some very clever giants!"
> EE : http://www.experts-exchange.com/M_248814.html
> Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
> ZOPA : http://uk.zopa.com/member/RQuadling
>
>

What version of Windows?

Can you provide a really basic test?

And a var_dump($_FILES) please?

-- 
-
Richard Quadling
"Standing on the shoulders of some very clever giants!"
EE : http://www.experts-exchange.com/M_248814.html
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
ZOPA : http://uk.zopa.com/member/RQuadling

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File upload directive: $_FILES['filename']['name'] instead of $_FILES['filename']['tmp_name']

2009-12-23 Thread Richard Quadling 
2009/12/22 Andrei Iarus :
> Hello,
>
> On my production & testing servers (production runs on a centrino and testing 
> runs on Windows) I can only access the temporary uploaded file using
> ini_get( 'upload_tmp_dir' . '/' . $_FILES['filename']['name'];
> while the file $_FILES['filename']['tmp_name'] simply does not exist (checked 
> with file_exists() function, and also looking in the temporary folder).
>
> Is there a problem with my PHP installations? Is there any directive to 
> change this bihaviour?
>
> On production: PHP 5.2.10 and on testing: PHP 5.2.8 and 5.3.0
>
> Thanks in advance.
>
>
>

2 functions to get to grips with:

1 - is_uploaded_file()
2 - move_uploaded_file()

Example from http://php.net/is_uploaded_file




-- 
-
Richard Quadling
"Standing on the shoulders of some very clever giants!"
EE : http://www.experts-exchange.com/M_248814.html
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
ZOPA : http://uk.zopa.com/member/RQuadling

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload question

2009-08-03 Thread Phpster 





On Aug 3, 2009, at 7:04 AM, seb  wrote:


Hey all,

i am using move_upload function to upload files to the server, but i  
want to add a feature that will allow files to be archived that have  
been uploaded already.


so, the problem is:

i upload a file that i want to "upgrade" and move the old file to an  
archive directory but I want to verify the NEW file is upload BEFORE  
moving the old file (the file being uploaded might not have the same  
filename as the old file currently on the server)..


i want to move the old file only when the new file was successfully  
uploaded. something like:




only one problem.. then if both files have the same name it will be  
overwritten before it moves the old one i want to save. if i move  
the old one first, there still the possibility of the new upload  
failing so i am back to square one..


i guess i can move_upload to a different directory, verify it's been  
uploaded, move the old to the archive file, then move the new file  
back to where it should be (where the archive file was)..


is that my only option? any suggestions?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Do an check for the file before moving it

If(file_exists($filename)){
  // copy file out to archive
}

}if(move_uploaded_file())
{


}

Bastien






--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: php File upload

2008-08-08 Thread Per Jessen 
Tom wrote:

> "Per Jessen" <[EMAIL PROTECTED]> schrieb im Newsbeitrag
> news:[EMAIL PROTECTED]
> Tom wrote:
> 
>> Im very glad to fix this problem, but the next one is here: Other
>> machine (but 2 GB Ram), same suse version, same (working now) 
>> php.ini with limits to 5000M now and i can't upload a File greater
>> than 900MB. A file under 900MB i see the tmp file growing. A File
>> with +1 GB no temp file seeing at all and break after a view minutes.
>> It's horrible with no error codes and wasting pure of time :-(
>> 
>> The maximum size of an HTTP request is 2Gb.
>>
> 
> What is set this limit?
> 

I can't find it, but I'm pretty certain it's in RFC2616.


/Per Jessen, Zürich


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: php File upload

2008-08-08 Thread Tom 
What is set this limit?

"Per Jessen" <[EMAIL PROTECTED]> schrieb im Newsbeitrag 
news:[EMAIL PROTECTED]
Tom wrote:

> Im very glad to fix this problem, but the next one is here: Other
> machine (but 2 GB Ram), same suse version, same (working now)  php.ini
> with limits to 5000M now and i can't upload a File greater than 900MB.
> A file under 900MB i see the tmp file growing. A File with +1 GB no
> temp file seeing at all and break after a view minutes. It's horrible
> with no error codes and wasting pure of time :-(

The maximum size of an HTTP request is 2Gb.


/Per Jessen, Zürich



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: php File upload

2008-08-08 Thread Luke 
You could always program in something (perhaps in Ajax) to monitor the  
progress of the file upload and check for errors periodically.


Luke Slater

On 8 Aug 2008, at 11:55, Peter Ford <[EMAIL PROTECTED]> wrote:


Per Jessen wrote:

Tom wrote:

Im very glad to fix this problem, but the next one is here: Other
machine (but 2 GB Ram), same suse version, same (working now)   
php.ini
with limits to 5000M now and i can't upload a File greater than  
900MB.

A file under 900MB i see the tmp file growing. A File with +1 GB no
temp file seeing at all and break after a view minutes. It's  
horrible

with no error codes and wasting pure of time :-(

The maximum size of an HTTP request is 2Gb. /Per Jessen, Zürich


Also bear in mind that the file is MIME encoded (so probably  
actually a base-64 stream or some such) and the actual size of the  
data sent in the request is therefore likely to be some fraction  
bigger than the file itself (like 33% bigger for base-64 encoding)



--
Peter Ford  phone: 01580 89
Developer   fax:   01580 893399
Justcroft International Ltd., Staplehurst, Kent

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: php File upload

2008-08-08 Thread Peter Ford 

Per Jessen wrote:

Tom wrote:


Im very glad to fix this problem, but the next one is here: Other
machine (but 2 GB Ram), same suse version, same (working now)  php.ini
with limits to 5000M now and i can't upload a File greater than 900MB.
A file under 900MB i see the tmp file growing. A File with +1 GB no
temp file seeing at all and break after a view minutes. It's horrible
with no error codes and wasting pure of time :-(


The maximum size of an HTTP request is 2Gb. 



/Per Jessen, Zürich



Also bear in mind that the file is MIME encoded (so probably actually a base-64 
stream or some such) and the actual size of the data sent in the request is 
therefore likely to be some fraction bigger than the file itself (like 33% 
bigger for base-64 encoding)



--
Peter Ford  phone: 01580 89
Developer   fax:   01580 893399
Justcroft International Ltd., Staplehurst, Kent

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Re: php File upload

2008-08-08 Thread Per Jessen 
Tom wrote:

> Im very glad to fix this problem, but the next one is here: Other
> machine (but 2 GB Ram), same suse version, same (working now)  php.ini
> with limits to 5000M now and i can't upload a File greater than 900MB.
> A file under 900MB i see the tmp file growing. A File with +1 GB no
> temp file seeing at all and break after a view minutes. It's horrible
> with no error codes and wasting pure of time :-(

The maximum size of an HTTP request is 2Gb. 


/Per Jessen, Zürich


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Re: php File upload

2008-08-08 Thread Tom 
Problem solved (at one machine)!

I can upload  a ~ 2 GB File now on a machine with 1 GB Main Memory! No 
Problem, swap is used but no break now.
The answer is, i think, the dramatical overhead for http upload, simply my 
post_max_size and upload_max_size are to small. If i will upload 1 GB it 
must minimum 1.5 GB (better more) on this limit variables.
Im very glad to fix this problem, but the next one is here: Other machine 
(but 2 GB Ram), same suse version, same (working now)  php.ini with limits 
to 5000M now and i can't upload a File greater than 900MB.
A file under 900MB i see the tmp file growing. A File with +1 GB no temp 
file seeing at all and break after a view minutes. It's horrible with no 
error codes and wasting pure of time :-(
Now i begin at bottom on this machine.

Thanx for alle, who look for this problem.
Now we are the very only that can say that php 100% working file uploads if 
memory lower than the file size :-)




""Tom"" <[EMAIL PROTECTED]> schrieb im Newsbeitrag 
news:[EMAIL PROTECTED]
> Hi,
>
> on a linux system (Suese 10.2) with 1 GB memory its not possible to upload 
> via http a  1 Gb File. Thats no limit problem  on my php config. i can 
> look the mem stats when uploading and the growing tmp file. If the temp 
> file has 900 MB, Main Memory free is 0 and the script aborts and php 
> deletes the tmp file.
>
> Why don't php use swap memory ?
>
> Greets Tom
> 



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security

2008-04-11 Thread Wolf 

Al wrote:
One of my sites has been hacked and I'm trying to find the hole.  The 
hack code creates dirs with "nobody" ownership, so it's obvious stuff is 
not via ftp [ownership would be foo]


Site is virtual host, Linux/Apache

I'm concerned about a file uploader my users use to upload photos.




First off, file type means NOTHING to people using uploaders. I have had 
a number of people try to hack my site with my uploader and they never 
succeed.


If you don't parse the first few lines of the file, you're probably 
gonna find yourself hacked again.  Depending on the size of the machine, 
you could just read the whole file and look for php somewhere in it, and 
if it exists, erase immediately.


image.php.gif.jpg would pass your test as far as checking extensions.

I have a number of the scripts used by others to try to hack my site 
available for download/review.  If you search the archives, you should 
find them.  If not, contact me directly and I'll send you the link to them.


HTH,
Wolf


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security

2008-04-11 Thread Bojan Tesanovic 

I would recommend something more strong
http://www.php.net/manual/en/function.exif-imagetype.php

or if you dont have exif
http://www.php.net/manual/en/function.getimagesize.php
will do also a trick.

One more thing, you are also allowing .txt and .css  which may be  
potential hole, as Apache can run .css also through PHP engine if  
configured to do so.
Sometimes I use PHP to process CSS so I can have dynamic CSS for some  
rare cases.







On Apr 12, 2008, at 2:24 AM, Al wrote:

One of my sites has been hacked and I'm trying to find the hole.   
The hack code creates dirs with "nobody" ownership, so it's obvious  
stuff is not via ftp [ownership would be foo]


Site is virtual host, Linux/Apache

I'm concerned about a file uploader my users use to upload photos.

Can anyone see a hole in this scrip? Can my code upload an  
executable masquerading as an image file?


$filetype = array("gif", "jpg", "jpeg", "png", "txt", css")

function csvt_file_upload($filetype, $max_size)
{
$prohibits = array("exe", "php", "inc", "php3", "pl", "bat",  
"cgi"); //common executables.

$absolute_max_size = 200;

end($_FILES); //get the "name" used by the html $name = key($_FILES); //could use the register variables, but  
this is safer.
if(isset($_FILES[$name]['name'])) $input_name = $_FILES[$name] 
['name'];


$error = "no"; //reset for error checks

if (!isset($filetype)) {
echo " File type assignment  
missing  ";

$error = "yes";
};

if (!isset($max_size)) {
echo " Max file size assignment  
missing.";

$error = "yes";
};

$filename = $_FILES[$name]['name'];
$tmp_name = $_FILES[$name]['tmp_name'];
$size = $_FILES[$name]['size'];

$absolute_path_file = getcwd(). DATA_DIR . $filename;


if (($size >= $max_size) OR ($size > $absolute_max_size)) {
echo " File size is too large. ";
$error = "yes";
}

$ext = substr(strrchr($filename, "."), 1); //get the extension,  
remove the "."

if (in_array($ext, $prohibits)) {
echo "Illegal file type,  
executable.\r\n";

$error = "yes";
}
if (is_executable($filename)) {
echo "Illegal file type, executable  
file.\r\n";

$error = "yes";
} //This is a double check in case $prohibits is incomplete.
if (is_array($filetype) AND !in_array($ext, $filetype)) {
echo "Illegal file type.\r\n";
$error = "yes";
}
if(!is_array($filetype) AND ($filetype != $ext)){
echo "Illegal file type.\r\n";
$error = "yes";
}
if ($error == "yes") {
echo "There was an error(s) with  
your file selection \"$input_name\" as the note(s) indicates.  
Please reselect, or remove your file selection and email for help.  
\r\n";

}
else {
if(!move_uploaded_file($tmp_name, $absolute_path_file))
		die("There was an error saving your file.  
Check permissions of " . DATA_DIR . " Must be 777 \r\n");


chmod($absolute_path_file, 0644);
}

return;
}

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



Igor Jocic
http://www.carster.us/

Re: [PHP] File Upload Security

2008-04-11 Thread Al 



The hack puts this .htaccess in dozens of dirs
RewriteEngine On 

RewriteCond %{HTTP_REFERER} 
^http://([a-z0-9_\-]+\.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24)\. 
[NC] 

RewriteCond %{HTTP_REFERER} 
[?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\= 



RewriteCond %{HTTP_REFERER} 
![?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=[^&]+(%3A|%22) 



RewriteCond %{TIME_SEC} <59 

RewriteRule ^.*$ /StartLocs/maps/kapicag/ex3/t.htm [L] 
  # 
a995d2cc661fa72452472e9554b5520c


The kapicag/ex3/t.htm appears to be phishing site.



mike wrote:

How was it "hacked"?

That will help determine what kind of exploit might have been used.


On 4/11/08, Al <[EMAIL PROTECTED]> wrote:

One of my sites has been hacked and I'm trying to find the hole.  The hack
code creates dirs with "nobody" ownership, so it's obvious stuff is not via
ftp [ownership would be foo]


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security

2008-04-11 Thread mike 
How was it "hacked"?

That will help determine what kind of exploit might have been used.


On 4/11/08, Al <[EMAIL PROTECTED]> wrote:
> One of my sites has been hacked and I'm trying to find the hole.  The hack
> code creates dirs with "nobody" ownership, so it's obvious stuff is not via
> ftp [ownership would be foo]

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-08 Thread Sukhwinder Singh 


I think you have to go pretty far back in PHP history (in 'net time)
to find that to be true...

Not 100% sure, mind you, but pretty sure.



I also think that the thing about memory limit is not true these days. I 
have been able to upload 3.28 gb file with memory limit specified as 128 MB. 
I also commened about it earlier but was referred to php manual. The manual 
says that yes, and I head read it myself but didn't increase the memonry and 
it still worked


Sukhwinder Singh

- Original Message - 
From: "Richard Lynch" <[EMAIL PROTECTED]>

To: "Jim Moseby" <[EMAIL PROTECTED]>
Cc: "'Sukhwinder Singh'" <[EMAIL PROTECTED]>; 
Sent: Saturday, June 09, 2007 5:15 AM
Subject: RE: [PHP] File Upload - post_max_size and upload_max_filesize in 
GBs




On Thu, June 7, 2007 10:52 am, Jim Moseby wrote:

Rumor has it that uploaded files are stored in memory before being
committed
to disk. If so, the amount of free RAM available to PHP would be the
limit
to the filesize regardless of the ini file settings.


I think you have to go pretty far back in PHP history (in 'net time)
to find that to be true...

Not 100% sure, mind you, but pretty sure.

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-08 Thread Richard Lynch 
On Thu, June 7, 2007 10:52 am, Jim Moseby wrote:
> Rumor has it that uploaded files are stored in memory before being
> committed
> to disk. If so, the amount of free RAM available to PHP would be the
> limit
> to the filesize regardless of the ini file settings.

I think you have to go pretty far back in PHP history (in 'net time)
to find that to be true...

Not 100% sure, mind you, but pretty sure.

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-08 Thread Robert Cummings 
On Fri, 2007-06-08 at 10:53 -0400, tedd wrote:
> At 4:35 PM +0100 6/7/07, Stut wrote:
> >You need to look into maybe a java applet, or just plain 
> >FTP/SFTP/SCP for files that big. HTTP was never designed to handle 
> >uploading files of that size. For a start there is no facility to 
> >restart the upload should it get interrupted and fail.
> >
> >-Stut
> 
> -Stut:
> 
> Would the ftp commands (ftp_login, etc.) in php work for this?

No, those are for initiating an FTP connection from the server on which
PHP is hosted.

Cheers,
Rob.
-- 
..
| InterJinn Application Framework - http://www.interjinn.com |
::
| An application and templating framework for PHP. Boasting  |
| a powerful, scalable system for accessing system services  |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for   |
| creating re-usable components quickly and easily.  |
`'

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-08 Thread Stut 

tedd wrote:

At 4:35 PM +0100 6/7/07, Stut wrote:
You need to look into maybe a java applet, or just plain FTP/SFTP/SCP 
for files that big. HTTP was never designed to handle uploading files 
of that size. For a start there is no facility to restart the upload 
should it get interrupted and fail.


-Stut


-Stut:

Would the ftp commands (ftp_login, etc.) in php work for this?


Unfortunately not, unless every user needing to upload a file is running 
an FTP server.


-Stut

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-08 Thread tedd 

At 4:35 PM +0100 6/7/07, Stut wrote:
You need to look into maybe a java applet, or just plain 
FTP/SFTP/SCP for files that big. HTTP was never designed to handle 
uploading files of that size. For a start there is no facility to 
restart the upload should it get interrupted and fail.


-Stut


-Stut:

Would the ftp commands (ftp_login, etc.) in php work for this?

Cheers,

tedd
--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-08 Thread Stut 

Sukhwinder Singh wrote:
You don't appear to have read what I said. A Java applet can use FTP 
to upload the file - PHP does not get involved in that part. Once the 
upload is complete the applet can POST to your PHP file giving it 
information like where it's put the file and this other information 
you need to give it so it can rename the file. This is the only bit 
PHP gets involved in and it doesn't involve trying to upload 4 gig 
over a machanism that was never designed for it.


Thanks again for replying.

I have read. I have been trying to find out way for last two days.
I can say about jupload and how it seems to work.
It uploads file to server in a temporary directory.
It has postURL parameter. Then it POSTS the data to php file.
Because it POSTS, the php configuration values comes into question.

Here is an example:

Settings in php.ini are 50M for upload_max_fisesize and 50M for 
post_max_size.

I used japplet  and  uploaded a 51.89 MB file.

This is what is in error log.

[08-Jun-2007 03:06:29] PHP Warning:  POST Content-Length of 54414946 
bytes exceeds the limit of 52428800 bytes in Unknown on line 0


[08-Jun-2007 03:06:29] PHP Notice:  Undefined index:  File0 in 
E:\projects\ice\post_test.php on line 13


File0 is the first file in $_FILES array, as POST fails I don't get that 
array.


I uploaded a 48 MB file and it worked without any problem.


Ok, I think I see where your confusion is coming from. I'm not 
suggesting that the applet I'm describing already exists - it would be 
something you'd have to write or commission someone to write for you.


Every existing file upload applet I've ever come across uses HTTP POST 
to upload the files, but this is not what you need. It will almost 
certainly have to be a bespoke solution.


Another way you might approach it would be to define a naming convention 
for uploaded files and accept them via normal FTP upload. The user then 
visits your website and fills in a form that will tell your PHP script 
where to find the file as well as giving it the other information it 
needs. Setting up a secure write-only FTP server is well documented on 
the net, but is well beyond the scope of this mailing list.


-Stut

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-07 Thread Sukhwinder Singh 
You don't appear to have read what I said. A Java applet can use FTP to 
upload the file - PHP does not get involved in that part. Once the upload 
is complete the applet can POST to your PHP file giving it information 
like where it's put the file and this other information you need to give 
it so it can rename the file. This is the only bit PHP gets involved in 
and it doesn't involve trying to upload 4 gig over a machanism that was 
never designed for it.


Thanks again for replying.

I have read. I have been trying to find out way for last two days.
I can say about jupload and how it seems to work.
It uploads file to server in a temporary directory.
It has postURL parameter. Then it POSTS the data to php file.
Because it POSTS, the php configuration values comes into question.

Here is an example:

Settings in php.ini are 50M for upload_max_fisesize and 50M for 
post_max_size.

I used japplet  and  uploaded a 51.89 MB file.

This is what is in error log.

[08-Jun-2007 03:06:29] PHP Warning:  POST Content-Length of 54414946 bytes 
exceeds the limit of 52428800 bytes in Unknown on line 0


[08-Jun-2007 03:06:29] PHP Notice:  Undefined index:  File0 in 
E:\projects\ice\post_test.php on line 13


File0 is the first file in $_FILES array, as POST fails I don't get that 
array.


I uploaded a 48 MB file and it worked without any problem.

Sukhwinder Singh

- Original Message - 
From: "Stut" <[EMAIL PROTECTED]>

To: "Sukhwinder Singh" <[EMAIL PROTECTED]>
Cc: 
Sent: Friday, June 08, 2007 2:10 AM
Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in 
GBs




Sukhwinder Singh wrote:
Even java applets have to hand over the file to some script, in this 
case php and php will get it in $_FILES array it seems (in case of 
japplet). so the problem will remain.


Not at all true. A Java applet can use FTP to handle the upload and 
still pass meta data about the file as an HTTP POST request. There is no 
requirement to use HTTP to upload the file from a Java applet.


It is not about how data is going to be transferred but it is about php 
having a limit on what it can accept as POST.

But we'll see how it works out. I'll let everyone know.
I am trying japplet for now.


You don't appear to have read what I said. A Java applet can use FTP to 
upload the file - PHP does not get involved in that part. Once the upload 
is complete the applet can POST to your PHP file giving it information 
like where it's put the file and this other information you need to give 
it so it can rename the file. This is the only bit PHP gets involved in 
and it doesn't involve trying to upload 4 gig over a machanism that was 
never designed for it.


-Stut

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-07 Thread Stut 

Sukhwinder Singh wrote:
Even java applets have to hand over the file to some script, in this 
case php and php will get it in $_FILES array it seems (in case of 
japplet). so the problem will remain.


Not at all true. A Java applet can use FTP to handle the upload and 
still pass meta data about the file as an HTTP POST request. There is 
no requirement to use HTTP to upload the file from a Java applet.


It is not about how data is going to be transferred but it is about php 
having a limit on what it can accept as POST.

But we'll see how it works out. I'll let everyone know.
I am trying japplet for now.


You don't appear to have read what I said. A Java applet can use FTP to 
upload the file - PHP does not get involved in that part. Once the 
upload is complete the applet can POST to your PHP file giving it 
information like where it's put the file and this other information you 
need to give it so it can rename the file. This is the only bit PHP gets 
involved in and it doesn't involve trying to upload 4 gig over a 
machanism that was never designed for it.


-Stut

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-07 Thread Sukhwinder Singh 
Even java applets have to hand over the file to some script, in this case 
php and php will get it in $_FILES array it seems (in case of japplet). 
so the problem will remain.


Not at all true. A Java applet can use FTP to handle the upload and still 
pass meta data about the file as an HTTP POST request. There is no 
requirement to use HTTP to upload the file from a Java applet.


It is not about how data is going to be transferred but it is about php 
having a limit on what it can accept as POST.

But we'll see how it works out. I'll let everyone know.
I am trying japplet for now.

Thanks for replying.

Sukhwinder Singh

- Original Message - 
From: "Stut" <[EMAIL PROTECTED]>

To: "Sukhwinder Singh" <[EMAIL PROTECTED]>
Cc: 
Sent: Friday, June 08, 2007 1:28 AM
Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in 
GBs




Sukhwinder Singh wrote:
Sounds like you need a Java applet. I have little experience with this, 
but I know that quite a few exist. I have no idea if any of them support 
sending meta data with the upload. I suggest you start Googling.




Even java applets have to hand over the file to some script, in this case 
php and php will get it in $_FILES array it seems (in case of japplet). 
so the problem will remain.


Not at all true. A Java applet can use FTP to handle the upload and still 
pass meta data about the file as an HTTP POST request. There is no 
requirement to use HTTP to upload the file from a Java applet.


-Stut


- Original Message - From: "Stut" <[EMAIL PROTECTED]>
To: "Sukhwinder Singh" <[EMAIL PROTECTED]>
Cc: 
Sent: Thursday, June 07, 2007 8:56 PM
Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in 
GBs




Sukhwinder Singh wrote:

Thanks for your reply.

So you are saying I cannot do it using php. These files have to be 
uploaded locally but using web interface and I have to pass some 
parameters along with file upload to update the database after upload 
is successful. Also I have to rename the file after it is uploaded.


Any utility which allows this?


Sounds like you need a Java applet. I have little experience with this, 
but I know that quite a few exist. I have no idea if any of them support 
sending meta data with the upload. I suggest you start Googling.


-Stut


- Original Message - From: "Stut" <[EMAIL PROTECTED]>
To: "Sukhwinder Singh" <[EMAIL PROTECTED]>
Cc: 
Sent: Thursday, June 07, 2007 8:35 PM
Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize 
in GBs




Sukhwinder Singh wrote:
I want to allow uploading of huge video files, which may be as big as 
4 GB. But when I try to set post_max_size = 4G

upload_max_filesize = 4G

in php.ini, it doesn't work and everything in post (posted data) is 
ignored.


I get a warning about size of posted data greater than some negative 
number.


I read somewhere that php stores this data in integer.

I have tested it on 64 bit system (php 5.1.6 installed on Mandriva 
2007.0) as well as 32 bit system (php 5.2.2 installed on windows xp 
sp2).


Value up to, I think, 2147483647 bytes or ( around 1.999.. gb) works

We need to allow uploading of 4 GB files. Is there any solution.


Yeah, don't use HTTP. Seriously, HTTP is a crappy mechanism for 
uploading files, especially large ones. And by large ones I mean 
 >~20MB!!


You need to look into maybe a java applet, or just plain FTP/SFTP/SCP 
for files that big. HTTP was never designed to handle uploading files 
of that size. For a start there is no facility to restart the upload 
should it get interrupted and fail.


-Stut

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php














--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-07 Thread Stut 

Sukhwinder Singh wrote:
Sounds like you need a Java applet. I have little experience with 
this, but I know that quite a few exist. I have no idea if any of them 
support sending meta data with the upload. I suggest you start Googling.




Even java applets have to hand over the file to some script, in this 
case php and php will get it in $_FILES array it seems (in case of 
japplet). so the problem will remain.


Not at all true. A Java applet can use FTP to handle the upload and 
still pass meta data about the file as an HTTP POST request. There is no 
requirement to use HTTP to upload the file from a Java applet.


-Stut


- Original Message - From: "Stut" <[EMAIL PROTECTED]>
To: "Sukhwinder Singh" <[EMAIL PROTECTED]>
Cc: 
Sent: Thursday, June 07, 2007 8:56 PM
Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize 
in GBs




Sukhwinder Singh wrote:

Thanks for your reply.

So you are saying I cannot do it using php. These files have to be 
uploaded locally but using web interface and I have to pass some 
parameters along with file upload to update the database after upload 
is successful. Also I have to rename the file after it is uploaded.


Any utility which allows this?


Sounds like you need a Java applet. I have little experience with 
this, but I know that quite a few exist. I have no idea if any of them 
support sending meta data with the upload. I suggest you start Googling.


-Stut


- Original Message - From: "Stut" <[EMAIL PROTECTED]>
To: "Sukhwinder Singh" <[EMAIL PROTECTED]>
Cc: 
Sent: Thursday, June 07, 2007 8:35 PM
Subject: Re: [PHP] File Upload - post_max_size and 
upload_max_filesize in GBs




Sukhwinder Singh wrote:
I want to allow uploading of huge video files, which may be as big 
as 4 GB. But when I try to set post_max_size = 4G

upload_max_filesize = 4G

in php.ini, it doesn't work and everything in post (posted data) is 
ignored.


I get a warning about size of posted data greater than some 
negative number.


I read somewhere that php stores this data in integer.

I have tested it on 64 bit system (php 5.1.6 installed on Mandriva 
2007.0) as well as 32 bit system (php 5.2.2 installed on windows xp 
sp2).


Value up to, I think, 2147483647 bytes or ( around 1.999.. gb) works

We need to allow uploading of 4 GB files. Is there any solution.


Yeah, don't use HTTP. Seriously, HTTP is a crappy mechanism for 
uploading files, especially large ones. And by large ones I mean 
 >~20MB!!


You need to look into maybe a java applet, or just plain 
FTP/SFTP/SCP for files that big. HTTP was never designed to handle 
uploading files of that size. For a start there is no facility to 
restart the upload should it get interrupted and fail.


-Stut

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php











--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-07 Thread Jim Moseby 
> 
> > Rumor has it that uploaded files are stored in memory before being 
> > committed
> > to disk. If so, the amount of free RAM available to PHP 
> would be the limit
> > to the filesize regardless of the ini file settings.
> 
> I don't think that is the case. File is written to temp 
> directory as it is 
> uploaded.
> And the qeustion is of php having negative values after I 
> specify post size 
> limit to 4G
> 

There is a comment in the documentation for move_uploaded_file() that
indicates the entire file is saved in memory prior to writing to the
temporary upload area.  Maybe this is not true. Read it for yourself. Its
just a comment, so who knows?

Also, there is an indication that you may need to tweak memory_limit in
php.ini.  


> > You should probably use another method of transport for 
> files that large.
> > FTP immediately comes to mind.
> 
> You mean ftp client? Like cute ftp. If yes, the problem is 
> that along with 
> uploading the file I also have to update database to 
> associate that file 
> with some user etc. It needs to be web based.
> 

After a quick search I found an applet that handles file uploads, and can
use FTP as the transport protocol.

http://radinks.com/upload/

JM

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-07 Thread Sukhwinder Singh 
Sounds like you need a Java applet. I have little experience with this, 
but I know that quite a few exist. I have no idea if any of them support 
sending meta data with the upload. I suggest you start Googling.




Even java applets have to hand over the file to some script, in this case 
php and php will get it in $_FILES array it seems (in case of japplet). so 
the problem will remain.



- Original Message - 
From: "Stut" <[EMAIL PROTECTED]>

To: "Sukhwinder Singh" <[EMAIL PROTECTED]>
Cc: 
Sent: Thursday, June 07, 2007 8:56 PM
Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in 
GBs




Sukhwinder Singh wrote:

Thanks for your reply.

So you are saying I cannot do it using php. These files have to be 
uploaded locally but using web interface and I have to pass some 
parameters along with file upload to update the database after upload is 
successful. Also I have to rename the file after it is uploaded.


Any utility which allows this?


Sounds like you need a Java applet. I have little experience with this, 
but I know that quite a few exist. I have no idea if any of them support 
sending meta data with the upload. I suggest you start Googling.


-Stut


- Original Message - From: "Stut" <[EMAIL PROTECTED]>
To: "Sukhwinder Singh" <[EMAIL PROTECTED]>
Cc: 
Sent: Thursday, June 07, 2007 8:35 PM
Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in 
GBs




Sukhwinder Singh wrote:
I want to allow uploading of huge video files, which may be as big as 4 
GB. But when I try to set post_max_size = 4G

upload_max_filesize = 4G

in php.ini, it doesn't work and everything in post (posted data) is 
ignored.


I get a warning about size of posted data greater than some negative 
number.


I read somewhere that php stores this data in integer.

I have tested it on 64 bit system (php 5.1.6 installed on Mandriva 
2007.0) as well as 32 bit system (php 5.2.2 installed on windows xp 
sp2).


Value up to, I think, 2147483647 bytes or ( around 1.999.. gb) works

We need to allow uploading of 4 GB files. Is there any solution.


Yeah, don't use HTTP. Seriously, HTTP is a crappy mechanism for 
uploading files, especially large ones. And by large ones I mean 
 >~20MB!!


You need to look into maybe a java applet, or just plain FTP/SFTP/SCP 
for files that big. HTTP was never designed to handle uploading files of 
that size. For a start there is no facility to restart the upload should 
it get interrupted and fail.


-Stut

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php









--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-07 Thread Sukhwinder Singh 


I would hazard a guess that you're overflowing a signed 32-bit int by 
specifying 4gig, but I could be wrong. It's certainly not the issue.




Yes you are right. That is what is happening.

Sukhwinder Singh

- Original Message - 
From: "Stut" <[EMAIL PROTECTED]>

To: "Sukhwinder Singh" <[EMAIL PROTECTED]>
Cc: "Jim Moseby" <[EMAIL PROTECTED]>; 
Sent: Thursday, June 07, 2007 9:16 PM
Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in 
GBs




Sukhwinder Singh wrote:
Rumor has it that uploaded files are stored in memory before being 
committed
to disk. If so, the amount of free RAM available to PHP would be the 
limit

to the filesize regardless of the ini file settings.


I don't think that is the case. File is written to temp directory as it 
is uploaded.
And the qeustion is of php having negative values after I specify post 
size limit to 4G


I would hazard a guess that you're overflowing a signed 32-bit int by 
specifying 4gig, but I could be wrong. It's certainly not the issue.


-Stut



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-07 Thread Stut 

Sukhwinder Singh wrote:
Rumor has it that uploaded files are stored in memory before being 
committed
to disk. If so, the amount of free RAM available to PHP would be the 
limit

to the filesize regardless of the ini file settings.


I don't think that is the case. File is written to temp directory as it 
is uploaded.
And the qeustion is of php having negative values after I specify post 
size limit to 4G


I would hazard a guess that you're overflowing a signed 32-bit int by 
specifying 4gig, but I could be wrong. It's certainly not the issue.


-Stut

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-07 Thread Sukhwinder Singh 

A beeter method is to send the file via ftp. I think most browsers
allow this.  And for example store the file in a user specific file.
Then the user, via a web interface, select the file it has uploaded
and do the rest of the operations you need.


Along with uploading the file I also have to pass other information to 
update the database to associate that file with some user etc.


What kind of ftp method you are suggesting?

Sukhwinder Singh

- Original Message - 
From: "jose javier parra sanchez" <[EMAIL PROTECTED]>

To: "Sukhwinder Singh" <[EMAIL PROTECTED]>
Sent: Thursday, June 07, 2007 8:59 PM
Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in 
GBs




A beeter method is to send the file via ftp. I think most browsers
allow this.  And for example store the file in a user specific file.
Then the user, via a web interface, select the file it has uploaded
and do the rest of the operations you need.

2007/6/7, Sukhwinder Singh <[EMAIL PROTECTED]>:

Thanks for your reply.

So you are saying I cannot do it using php. These files have to be 
uploaded

locally but using web interface and I have to pass some parameters along
with file upload to update the database after upload is successful. Also 
I

have to rename the file after it is uploaded.

Any utility which allows this?

Thanks,
Sukhwinder Singh

- Original Message -
From: "Stut" <[EMAIL PROTECTED]>
To: "Sukhwinder Singh" <[EMAIL PROTECTED]>
Cc: 
Sent: Thursday, June 07, 2007 8:35 PM
Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in
GBs


> Sukhwinder Singh wrote:
>> I want to allow uploading of huge video files, which may be as big as 
>> 4

>> GB. But when I try to set post_max_size = 4G
>> upload_max_filesize = 4G
>>
>> in php.ini, it doesn't work and everything in post (posted data) is
>> ignored.
>>
>> I get a warning about size of posted data greater than some negative
>> number.
>>
>> I read somewhere that php stores this data in integer.
>>
>> I have tested it on 64 bit system (php 5.1.6 installed on Mandriva
>> 2007.0) as well as 32 bit system (php 5.2.2 installed on windows xp 
>> sp2).

>>
>> Value up to, I think, 2147483647 bytes or ( around 1.999.. gb) works
>>
>> We need to allow uploading of 4 GB files. Is there any solution.
>
> Yeah, don't use HTTP. Seriously, HTTP is a crappy mechanism for 
> uploading

> files, especially large ones. And by large ones I mean >~20MB!!
>
> You need to look into maybe a java applet, or just plain FTP/SFTP/SCP 
> for
> files that big. HTTP was never designed to handle uploading files of 
> that
> size. For a start there is no facility to restart the upload should it 
> get

> interrupted and fail.
>
> -Stut
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php






--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-07 Thread Sukhwinder Singh 
Rumor has it that uploaded files are stored in memory before being 
committed

to disk. If so, the amount of free RAM available to PHP would be the limit
to the filesize regardless of the ini file settings.


I don't think that is the case. File is written to temp directory as it is 
uploaded.
And the qeustion is of php having negative values after I specify post size 
limit to 4G



You should probably use another method of transport for files that large.
FTP immediately comes to mind.


You mean ftp client? Like cute ftp. If yes, the problem is that along with 
uploading the file I also have to update database to associate that file 
with some user etc. It needs to be web based.


Sukhwinder Singh

- Original Message - 
From: "Jim Moseby" <[EMAIL PROTECTED]>

To: "'Sukhwinder Singh'" <[EMAIL PROTECTED]>; 
Sent: Thursday, June 07, 2007 8:52 PM
Subject: RE: [PHP] File Upload - post_max_size and upload_max_filesize in 
GBs





Hello,

I want to allow uploading of huge video files, which may be
as big as 4 GB. But when I try to set

post_max_size = 4G
upload_max_filesize = 4G

in php.ini, it doesn't work and everything in post (posted
data) is ignored.

I get a warning about size of posted data greater than some
negative number.

I read somewhere that php stores this data in integer.

I have tested it on 64 bit system (php 5.1.6 installed on
Mandriva 2007.0) as well as 32 bit system (php 5.2.2
installed on windows xp sp2).

Value up to, I think, 2147483647 bytes or ( around 1.999.. gb) works

We need to allow uploading of 4 GB files. Is there any solution.

Regards,
Sukhwinder Singh



Rumor has it that uploaded files are stored in memory before being 
committed

to disk. If so, the amount of free RAM available to PHP would be the limit
to the filesize regardless of the ini file settings.

You should probably use another method of transport for files that large.
FTP immediately comes to mind.

JM

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-07 Thread Stut 

Sukhwinder Singh wrote:

Thanks for your reply.

So you are saying I cannot do it using php. These files have to be 
uploaded locally but using web interface and I have to pass some 
parameters along with file upload to update the database after upload is 
successful. Also I have to rename the file after it is uploaded.


Any utility which allows this?


Sounds like you need a Java applet. I have little experience with this, 
but I know that quite a few exist. I have no idea if any of them support 
sending meta data with the upload. I suggest you start Googling.


-Stut


- Original Message - From: "Stut" <[EMAIL PROTECTED]>
To: "Sukhwinder Singh" <[EMAIL PROTECTED]>
Cc: 
Sent: Thursday, June 07, 2007 8:35 PM
Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize 
in GBs




Sukhwinder Singh wrote:
I want to allow uploading of huge video files, which may be as big as 
4 GB. But when I try to set post_max_size = 4G

upload_max_filesize = 4G

in php.ini, it doesn't work and everything in post (posted data) is 
ignored.


I get a warning about size of posted data greater than some negative 
number.


I read somewhere that php stores this data in integer.

I have tested it on 64 bit system (php 5.1.6 installed on Mandriva 
2007.0) as well as 32 bit system (php 5.2.2 installed on windows xp 
sp2).


Value up to, I think, 2147483647 bytes or ( around 1.999.. gb) works

We need to allow uploading of 4 GB files. Is there any solution.


Yeah, don't use HTTP. Seriously, HTTP is a crappy mechanism for 
uploading files, especially large ones. And by large ones I mean >~20MB!!


You need to look into maybe a java applet, or just plain FTP/SFTP/SCP 
for files that big. HTTP was never designed to handle uploading files 
of that size. For a start there is no facility to restart the upload 
should it get interrupted and fail.


-Stut

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php






--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-07 Thread Jim Moseby 
> 
> Hello,
> 
> I want to allow uploading of huge video files, which may be 
> as big as 4 GB. But when I try to set 
> 
> post_max_size = 4G
> upload_max_filesize = 4G
> 
> in php.ini, it doesn't work and everything in post (posted 
> data) is ignored.
> 
> I get a warning about size of posted data greater than some 
> negative number.
> 
> I read somewhere that php stores this data in integer.
> 
> I have tested it on 64 bit system (php 5.1.6 installed on 
> Mandriva 2007.0) as well as 32 bit system (php 5.2.2 
> installed on windows xp sp2).
> 
> Value up to, I think, 2147483647 bytes or ( around 1.999.. gb) works
> 
> We need to allow uploading of 4 GB files. Is there any solution.
> 
> Regards,
> Sukhwinder Singh


Rumor has it that uploaded files are stored in memory before being committed
to disk. If so, the amount of free RAM available to PHP would be the limit
to the filesize regardless of the ini file settings.

You should probably use another method of transport for files that large.
FTP immediately comes to mind.

JM

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-07 Thread Sukhwinder Singh 

Thanks for your reply.

So you are saying I cannot do it using php. These files have to be uploaded 
locally but using web interface and I have to pass some parameters along 
with file upload to update the database after upload is successful. Also I 
have to rename the file after it is uploaded.


Any utility which allows this?

Thanks,
Sukhwinder Singh

- Original Message - 
From: "Stut" <[EMAIL PROTECTED]>

To: "Sukhwinder Singh" <[EMAIL PROTECTED]>
Cc: 
Sent: Thursday, June 07, 2007 8:35 PM
Subject: Re: [PHP] File Upload - post_max_size and upload_max_filesize in 
GBs




Sukhwinder Singh wrote:
I want to allow uploading of huge video files, which may be as big as 4 
GB. But when I try to set post_max_size = 4G

upload_max_filesize = 4G

in php.ini, it doesn't work and everything in post (posted data) is 
ignored.


I get a warning about size of posted data greater than some negative 
number.


I read somewhere that php stores this data in integer.

I have tested it on 64 bit system (php 5.1.6 installed on Mandriva 
2007.0) as well as 32 bit system (php 5.2.2 installed on windows xp sp2).


Value up to, I think, 2147483647 bytes or ( around 1.999.. gb) works

We need to allow uploading of 4 GB files. Is there any solution.


Yeah, don't use HTTP. Seriously, HTTP is a crappy mechanism for uploading 
files, especially large ones. And by large ones I mean >~20MB!!


You need to look into maybe a java applet, or just plain FTP/SFTP/SCP for 
files that big. HTTP was never designed to handle uploading files of that 
size. For a start there is no facility to restart the upload should it get 
interrupted and fail.


-Stut

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload - post_max_size and upload_max_filesize in GBs

2007-06-07 Thread Stut 

Sukhwinder Singh wrote:
I want to allow uploading of huge video files, which may be as big as 4 GB. But when I try to set 


post_max_size = 4G
upload_max_filesize = 4G

in php.ini, it doesn't work and everything in post (posted data) is ignored.

I get a warning about size of posted data greater than some negative number.

I read somewhere that php stores this data in integer.

I have tested it on 64 bit system (php 5.1.6 installed on Mandriva 2007.0) as 
well as 32 bit system (php 5.2.2 installed on windows xp sp2).

Value up to, I think, 2147483647 bytes or ( around 1.999.. gb) works

We need to allow uploading of 4 GB files. Is there any solution.


Yeah, don't use HTTP. Seriously, HTTP is a crappy mechanism for 
uploading files, especially large ones. And by large ones I mean >~20MB!!


You need to look into maybe a java applet, or just plain FTP/SFTP/SCP 
for files that big. HTTP was never designed to handle uploading files of 
that size. For a start there is no facility to restart the upload should 
it get interrupted and fail.


-Stut

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-27 Thread Andy Hultgren 

Well, seeing as I have no directory anywhere in my file structure called
"/tmp" and yet my file uploads are still working, it would appear that my
temporary file upload directory "/tmp" given by php_info() is somewhere
outside of my root directory.  So that's good news!  That's were I'll be
doing my file checks anyway before moving any files into my root directory.

Anyway, at this point it looks like I need to buckle down and do some
thinkin'.  Thank you everyone for your advice, I really really appreciate
it!!  You guys have given me a really good foundation to start from on these
questions of site security, and I appreciate you taking the time to pass on
your expertise to a newcomer.

All the best,

Andy


On 9/27/06, Richard Lynch <[EMAIL PROTECTED]> wrote:


On Wed, September 27, 2006 12:12 pm, Andy Hultgren wrote:
> So I've been trying to figure out where php uploads files to
> temporarily
> store them before I move them to their permanent storage directory,
> and I'm
> having some difficulties:
>
> -- php_info() says the temporary file upload directory is "/tmp" but I
> don't
> know if that's relative to my root directory or what and can't figure
> out
> from the documentation how that path is displayed.

/tmp means the /tmp on the root of the hard drive, which your webhost
allegedly isn't letting you share...

HOWEVER:
It is entirely possible (nay, even likely) that they have you in a
ch-rooted environment where your "/tmp" is not somebody else's "/tmp"
so you'll just see "/tmp" and you don't have to worry about the fact
that it's not really really /tmp but somewhere else...

> -- I have tried to call pathinfo() and realpath() on my
> $_FILES['name']['tmp_name'] file before it is moved, but neither gives
> the
> full path to the file

If $_FILES['name']['tmp_name'] does already have the full path,
something is very wrong on your system...

Note that as soon as your upload-receiving script ends, the file is
deleted.

You *have* to use move_uploaded_file() on it in the upload-receiving
script to save the file somewhere else, or it's just gonna go away,
and you ain't gonna see it never again.

> Maybe I should have one of those disclaimers posted on my homepage
> like the
> ones that you see in taxis sometimes: "This driver never carries more
> than
> $20 cash."  -->  "This website never carries anyone's financial
> information."  :)

:-)

While there are obviously people "out there" who will just attack
randomly, (spammers) I honestly believe that a
valuable/useful/warm-fuzzies site (in the eyes of the attackers) is a
much less likely target for an actual human attack.

I have absolutely zero evidence to support that claim, other than one
site that's been wide open to abuse for most of a decade, and only the
mindless spam-bots bother it... :-)

--
Like Music?
http://l-i-e.com/artists.htm

Re: [PHP] File Upload Security and chmod

2006-09-27 Thread Richard Lynch 
On Wed, September 27, 2006 12:12 pm, Andy Hultgren wrote:
> So I've been trying to figure out where php uploads files to
> temporarily
> store them before I move them to their permanent storage directory,
> and I'm
> having some difficulties:
>
> -- php_info() says the temporary file upload directory is "/tmp" but I
> don't
> know if that's relative to my root directory or what and can't figure
> out
> from the documentation how that path is displayed.

/tmp means the /tmp on the root of the hard drive, which your webhost
allegedly isn't letting you share...

HOWEVER:
It is entirely possible (nay, even likely) that they have you in a
ch-rooted environment where your "/tmp" is not somebody else's "/tmp"
so you'll just see "/tmp" and you don't have to worry about the fact
that it's not really really /tmp but somewhere else...

> -- I have tried to call pathinfo() and realpath() on my
> $_FILES['name']['tmp_name'] file before it is moved, but neither gives
> the
> full path to the file

If $_FILES['name']['tmp_name'] does already have the full path,
something is very wrong on your system...

Note that as soon as your upload-receiving script ends, the file is
deleted.

You *have* to use move_uploaded_file() on it in the upload-receiving
script to save the file somewhere else, or it's just gonna go away,
and you ain't gonna see it never again.

> Maybe I should have one of those disclaimers posted on my homepage
> like the
> ones that you see in taxis sometimes: "This driver never carries more
> than
> $20 cash."  -->  "This website never carries anyone's financial
> information."  :)

:-)

While there are obviously people "out there" who will just attack
randomly, (spammers) I honestly believe that a
valuable/useful/warm-fuzzies site (in the eyes of the attackers) is a
much less likely target for an actual human attack.

I have absolutely zero evidence to support that claim, other than one
site that's been wide open to abuse for most of a decade, and only the
mindless spam-bots bother it... :-)

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-27 Thread Andy Hultgren 

So I've been trying to figure out where php uploads files to temporarily
store them before I move them to their permanent storage directory, and I'm
having some difficulties:

-- php_info() says the temporary file upload directory is "/tmp" but I don't
know if that's relative to my root directory or what and can't figure out
from the documentation how that path is displayed.
-- I have tried to call pathinfo() and realpath() on my
$_FILES['name']['tmp_name'] file before it is moved, but neither gives the
full path to the file (which I realized after reading the documentation that
neither is supposed to do).  Any ideas on functions that will give the full
path of the inputted file?  I've been searching the php documentation and
general list but to no avail.  On the plus side, I did get to practice
writing information to a text file, so that was fun :)

Thanks for the tips on the chmod requirements for the get_image_size()
function, I'm all about keep permissions as strict as possible at this
point!

Crap, gotta use my brain, huh?  :)  Seriously, thanks for the overview on
how "security" should be approached and for the advice to not take general
security recommendations at face value but to give them some thought, given
my unique situation.  This is really good for me to learn now, while I'm
still implementing my security rather than later when I might have to redo
everything (or might have a gaping hole based on a poor assumption).  At
least I won't be storing anyone's financial information, so I should only be
a target for people who just want to be mean, but not people who want to get
free stuff from others credit info.

Maybe I should have one of those disclaimers posted on my homepage like the
ones that you see in taxis sometimes: "This driver never carries more than
$20 cash."  -->  "This website never carries anyone's financial
information."  :)

Andy


On 9/26/06, Richard Lynch <[EMAIL PROTECTED]> wrote:


On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote:
> So I tried to implement the example code given in the php tmpfile()
> documentation and it wouldn't do anything, which suggests that I don't
> have
> access to the /tmp directory.  Also, the FAQ's section on my server's
> website say that /tmp is not shared between the servers.  So, looks
> like
> /tmp option is out...

Did they perhaps give you your own "tmp" directory elsewhere?...

Sometimes you just need to poke at it to figure out where your "tmp"
is, and then you can use the PHP functions that let you specify your
own directory, but not the ones that assume that system /tmp is your
"tmp"

My host has a "tmp" dir I can use, but it ain't /tmp, and PHP
routinely tries to use /tmp with some functions.  G.

> So, let me see if I understand the situation I'm looking at here:
>
> The bad side:
> -- I don't have any place to put uploaded files outside of my webtree,
> which
> makes it tough to ensure these files cannot be surfed to once they are
> uploaded, and also means I have to do my security checks while the
> files are
> within my webtree and potentially accessible.  (BAD).

Yes.

Though if file uploads are working at all, looking at the $_FILES
array may give you a clue as to a directory that you maybe *can*
access which is your own private "tmp"...

> -- Any php script on my server (created by me or somehow maliciously
> uploaded) can do whatever it wants within my account because all php
> scripts run as me.  (also BAD).

On the plus side, some of the coding gets real simple, since you are
you, and you are never somebody else. :-)

> The good side:
> -- Uploaded files can be chmod so that nobody can read them, then I
> chmod
> them when I need to use them.  This adds a layer of protection for
> completely uploaded files.  I assume this will not help with files
> while
> they are getting their security checks, since PHP has to be able to
> read and
> execute them in order to run the checks (get_image_size, etc.)?

PHP needs to read them for get_image_size, but not execute.

Use minimum force needed.

If you are flipping the chmod around within your scripts, that reduces
your risk to however long the dir remains in its 0777 (or whatever)
state, which is however long your script takes to process whatever it
has to process in that state.

So long exhaustive checks of the validity of a file are "bad" because
that leaves that window open longer, but they're "good" because the
file is then more likely to be kosher.

> -- Since I'm only allowing image uploads, I can strictly filter which
> files
> are allowed to be uploaded (with extension checks and get_image_size).

Extension check is kinda useless...

I can name any file I want with .jpg and upload it.

get_image_size() is good, as it checks the first N bytes -- But
somebody somewhere can construct a worm with the first N bytes that
LOOK like a valid image, to get_image_size()

A human eyeball check would be even better, as then you *know* that a
much larger number of bytes are a val

Re: [PHP] File Upload Security and chmod

2006-09-27 Thread Richard Lynch 
On Wed, September 27, 2006 10:11 am, tedd wrote:
>>So when you read advice to use 0777 you can immediately change that
>> to
>>0700, because the only access needed is for you, not your group, and
>>not the "world" of other users on that machine.
>
> Excellent point -- thanks.

This applies only to Andy -- or those whose server runs as "themself"

Tedd, whose server runs as "nobody" or some other user, still need
0777 or the FTP hoop-jumping.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-27 Thread tedd 

At 6:43 PM -0500 9/26/06, Richard Lynch wrote:

On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote:
 > -- Since I'm only allowing image uploads, I can strictly filter which

 files
 are allowed to be uploaded (with extension checks and get_image_size).


Extension check is kinda useless...

I can name any file I want with .jpg and upload it.

get_image_size() is good, as it checks the first N bytes -- But
somebody somewhere can construct a worm with the first N bytes that
LOOK like a valid image, to get_image_size()

A human eyeball check would be even better, as then you *know* that a
much larger number of bytes are a valid image.

It could still be "image+worm" with the worm tacked on at the end, and
a valid image at the front, which the browser would probably just go
ahead and display as valid image. :-(

The odds of somebody able to construct a valid-looking image whose
exact byte sequence is also a worm are pretty low, but not
impossible... :-)


That's one of the reasons why I resize images I upload -- image files 
are never stored "as-is". I figure that any possible worms contained 
therein will probably be damaged beyond working after a shuffle. 
After all, code is usually sensitive to alteration.



So when you read advice to use 0777 you can immediately change that to
0700, because the only access needed is for you, not your group, and
not the "world" of other users on that machine.


Excellent point -- thanks.

tedd
--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-26 Thread Richard Lynch 
On Mon, September 25, 2006 3:58 pm, Andy Hultgren wrote:
> So I tried to implement the example code given in the php tmpfile()
> documentation and it wouldn't do anything, which suggests that I don't
> have
> access to the /tmp directory.  Also, the FAQ's section on my server's
> website say that /tmp is not shared between the servers.  So, looks
> like
> /tmp option is out...

Did they perhaps give you your own "tmp" directory elsewhere?...

Sometimes you just need to poke at it to figure out where your "tmp"
is, and then you can use the PHP functions that let you specify your
own directory, but not the ones that assume that system /tmp is your
"tmp"

My host has a "tmp" dir I can use, but it ain't /tmp, and PHP
routinely tries to use /tmp with some functions.  G.

> So, let me see if I understand the situation I'm looking at here:
>
> The bad side:
> -- I don't have any place to put uploaded files outside of my webtree,
> which
> makes it tough to ensure these files cannot be surfed to once they are
> uploaded, and also means I have to do my security checks while the
> files are
> within my webtree and potentially accessible.  (BAD).

Yes.

Though if file uploads are working at all, looking at the $_FILES
array may give you a clue as to a directory that you maybe *can*
access which is your own private "tmp"...

> -- Any php script on my server (created by me or somehow maliciously
> uploaded) can do whatever it wants within my account because all php
> scripts run as me.  (also BAD).

On the plus side, some of the coding gets real simple, since you are
you, and you are never somebody else. :-)

> The good side:
> -- Uploaded files can be chmod so that nobody can read them, then I
> chmod
> them when I need to use them.  This adds a layer of protection for
> completely uploaded files.  I assume this will not help with files
> while
> they are getting their security checks, since PHP has to be able to
> read and
> execute them in order to run the checks (get_image_size, etc.)?

PHP needs to read them for get_image_size, but not execute.

Use minimum force needed.

If you are flipping the chmod around within your scripts, that reduces
your risk to however long the dir remains in its 0777 (or whatever)
state, which is however long your script takes to process whatever it
has to process in that state.

So long exhaustive checks of the validity of a file are "bad" because
that leaves that window open longer, but they're "good" because the
file is then more likely to be kosher.

> -- Since I'm only allowing image uploads, I can strictly filter which
> files
> are allowed to be uploaded (with extension checks and get_image_size).

Extension check is kinda useless...

I can name any file I want with .jpg and upload it.

get_image_size() is good, as it checks the first N bytes -- But
somebody somewhere can construct a worm with the first N bytes that
LOOK like a valid image, to get_image_size()

A human eyeball check would be even better, as then you *know* that a
much larger number of bytes are a valid image.

It could still be "image+worm" with the worm tacked on at the end, and
a valid image at the front, which the browser would probably just go
ahead and display as valid image. :-(

The odds of somebody able to construct a valid-looking image whose
exact byte sequence is also a worm are pretty low, but not
impossible... :-)

> (Plus
> all the stuff talked about in the PHP Security Guide provided by the
> PHP
> Security Consortium for html POSTs, MySQL stuff, cookies, etc. Well,
> all of
> it that I can implement without having access to a directory outside
> of my
> webtree anyway).

Be careful.

It's entirely possible that *some* of the advice would put you at
higher risk with your setup, if their assumption is the "nobody" user
and a directory outside web-tree.

So just because you *CAN* implement your advice in your situation,
won't mean you should.

You're going to have to examine every little thing on a case-by-case
basis with your Security Hat on firmly -- Which means thinking "If I
was Evil, how would I break this?"

> So, given this situation (if I've got it right), I have two questions:
>
> 1) With the above "as is", am I just asking for anyone to come in and
> tear
> my site apart?  I am not an experienced web developer (obviously), but
> I
> love to read.  Is that enough to build a secure site, or am I just way
> in
> over my head?

There's no such thing as "a secure site"...

A secure site is not an off/on switch.  It's more a gradient from
horrible to very strong.

And the act of building a Secure site is not even just a question of
following all the "rules" in http://phpsec.org and so on.

It's a thought process, a living breathing intelligent human actually
*thinking* about what they are doing, and what the Risks are, and what
the Benefits are, and trying to consider every possible angle of every
decision.

Are you building an e-commerce site, right out of the gate, on a
server configured li

Re: [PHP] File Upload Security and chmod

2006-09-26 Thread Richard Lynch 
The FTP will be slower, almost for sure.

He's doing it because he can FTP in as himself, and not as the
"nobody" user Apache runs as.

Your webhost has you running as yourself already, so you can chmod
your files at will in PHP.

On Mon, September 25, 2006 2:11 pm, Andy Hultgren wrote:
> Tedd,
>
> Thanks so much your thorough response - it's good to know that I'm not
> the
> only one trying to figure this out!  I'm curious, in your code you use
> the
> PHP ftp functions, but I have used the PHP functions chmod() and
> mkdir()
> without establishing an ftp connection.  Is it faster to establish an
> ftp
> connection within PHP and then use the ftp series of functions to
> accomplish
> all of the directory creation and permissions changes?  If so, then I
> will
> probably change my code to follow yours.
>
> Andy
>
>
> On 9/25/06, tedd <[EMAIL PROTECTED]> wrote:
>>
>> At 9:32 PM -0600 9/24/06, Andy Hultgren wrote:
>> >Hi Tedd,
>> >
>> >Yes, when I browse to www.myDomain.com I get the index.html file,
>> and so
>> I
>> >have been leaving the .public_html/ directory alone since it is not
>> my
>> >root.  I'm curious, what you described is exactly what I'm trying
>> to do -
>> >what permissions do you set the parent folder at when you are
>> finished
>> >uploading/saving/downloading/etc.?  I have my "uploaded_images/"
>> >directory set at chmod 0100 and I can still browse to an uploaded
>> image
>> from
>> >my file upload page...  Thanks for your response,
>>
>>
>> Andy:
>>
>> I ran into the same problem trying to work with, and understand,
>> permissions on a virtual host. When I asked this gang about
>> permissions some time back, I received answers that ranged from RTFM
>> to calling me stupid for using 0777, but none answered my question.
>> No fault of the gang, I probably didn't ask the question correctly.
>> In any event, I felt too stupid to ask the question again, so I went
>> elsewhere looking for answers and eventually found something that
>> works for me.
>>
>> Some consider me a novice, so I'll ask the gang to overview my
>> comments to make sure that I'm not guiding you down the wrong path.
>>
>> As you know, the key to setting the permissions of a file depends
>> upon the permissions the parent folder. If the parent folder
>> permission is set to 0777, then we can change any files inside the
>> folder as we want. However, that also presents a major security hole
>> because then anyone can use that folder to upload and run evil code.
>>
>> So, the key problem is how to alter parent folder permissions.
>>
>> With virtual hosting, we can upload, manage, and set permissions as
>> we want via our FTP connection software. So, I thought perhaps php
>> had something like that and as such I discovered how to ftp connect
>> via php.
>>
>> Now, not all php ftp_ are available to php 4, but you can
>> connect to your site and change permissions of folders, which is
>> what
>> we actually need. So, if you want to do something with a file: then
>> change the folder permissions of the folder that holds it; do
>> whatever you want with the file; and then change the folder
>> permissions back to something safe.
>>
>> You can also create new folders if you want using the command
>> ftp_mkdir().
>>
>> Note, the beginning of the ftp_paths are different than url paths we
>> would normally use to locate a file. For example:
>>
>> An example web path:
>>
>> http://www.yourdomain.com/rw/tmp/text.txt
>>
>> An example symbolic link:
>>
>> public_html/rw/tmp/text.txt
>>
>> The following code will show you an example of how this works. Just
>> put in your own domain, user id, password, and correct paths and try
>> it out. Change the permissions in the code and watch how the file
>> permissions change.
>>
>> Please let me know if this works for you -- watch for line breaks.
>>
>> hth's
>>
>> tedd
>>
>> PS: I don't know what to say about your ".public_html/" directory,
>> but I would just leave it alone.
>>
>> ---
>>
>> // how to call the function
>>
>> >
>> $ftp_path = "public_html/rw/";  // note the ftp path
>> $theDir = "tmp";
>> $theFile ="text.txt";
>> FtpPerms($ftp_path, $theDir, $theFile);
>> ?>
>>
>>
>> // the function
>>
>> > // create directory and change permissions via FTP connection
>>
>> function FtpPerms($path, $theDir, $theFile)
>> {
>>
>> $server='ftp.yourdomain.com'; // ftp server
>> $connection = ftp_connect($server); // connection
>>
>> $user = "you";
>> $pass = "yourpassword";
>> $result = ftp_login($connection, $user, $pass); // login to ftp
>> server
>>
>> if ((!$connection) || (!$result))
>> {
>> echo("No connection");
>> return false;
>> exit();
>> }
>> else
>> {
>> echo("Made connection");
>> ftp_chdir($connection, $path); // go to destination dir
>>
>> echo("Change permission");
>> $str="CHMOD 0755 " . $theDir; // change permissions for dir (note
>> the
>> space after 0775 )
>> ftp_site($connection, $str);
>> echo("$str");
>>
>> $filename = "$theDir/$theFile";
>> $contents = "This is the contents of

Re: [PHP] File Upload Security and chmod

2006-09-25 Thread Andy Hultgren 

Hey Tedd and Eric,

Between the two of you and Richard Lynch's last post, I understand why I can
use chmod() and mkdir() within php without having to use the ftp commands: I
run on a server that is configured to run my php scripts as "username" (ie.
me!) instead of as "nobody" (which is much more common).  So my php scripts
have powers which they probably shouldn't have.  So, Tedd, you don't have to
go back to the manual it looks like you are exactly right, I'm just on a
goofy server which is the exception to the rule (for better or for worse).

I really appreciate you guys jumping in a giving me a hand.  Hopefully I get
good enough at this that I can return the favor sometime!!!

Andy


On 9/25/06, Eric Butera <[EMAIL PROTECTED]> wrote:


On 9/25/06, Andy Hultgren <[EMAIL PROTECTED]> wrote:
>
> Tedd,
>
> Thanks so much your thorough response - it's good to know that I'm not
> the
> only one trying to figure this out!  I'm curious, in your code you use
> the
> PHP ftp functions, but I have used the PHP functions chmod() and mkdir()
>
> without establishing an ftp connection.  Is it faster to establish an
> ftp
> connection within PHP and then use the ftp series of functions to
> accomplish
> all of the directory creation and permissions changes?  If so, then I
> will
> probably change my code to follow yours.
>
> Andy


By using FTP you can specify which user account you want the connection to
be established at.  When running a PHP script the script will be running by
the Apache server, which means it will have specific permission levels which
cannot create directories or chmod unless Apache owns the parent directory.
That is why Tedd went through all that trouble.

Re: [PHP] File Upload Security and chmod

2006-09-25 Thread Andy Hultgren 

Well, that didn't sound too good...

So I tried to implement the example code given in the php tmpfile()
documentation and it wouldn't do anything, which suggests that I don't have
access to the /tmp directory.  Also, the FAQ's section on my server's
website say that /tmp is not shared between the servers.  So, looks like
/tmp option is out...

So, let me see if I understand the situation I'm looking at here:

The bad side:
-- I don't have any place to put uploaded files outside of my webtree, which
makes it tough to ensure these files cannot be surfed to once they are
uploaded, and also means I have to do my security checks while the files are
within my webtree and potentially accessible.  (BAD).
-- Any php script on my server (created by me or somehow maliciously
uploaded) can do whatever it wants within my account because all php
scripts run as me.  (also BAD).

The good side:
-- Uploaded files can be chmod so that nobody can read them, then I chmod
them when I need to use them.  This adds a layer of protection for
completely uploaded files.  I assume this will not help with files while
they are getting their security checks, since PHP has to be able to read and
execute them in order to run the checks (get_image_size, etc.)?
-- Since I'm only allowing image uploads, I can strictly filter which files
are allowed to be uploaded (with extension checks and get_image_size). (Plus
all the stuff talked about in the PHP Security Guide provided by the PHP
Security Consortium for html POSTs, MySQL stuff, cookies, etc. Well, all of
it that I can implement without having access to a directory outside of my
webtree anyway).

So, given this situation (if I've got it right), I have two questions:

1) With the above "as is", am I just asking for anyone to come in and tear
my site apart?  I am not an experienced web developer (obviously), but I
love to read.  Is that enough to build a secure site, or am I just way in
over my head?
2) Imaging that I can convince my host to rebuild my site so that I have
access to directories outside of my webtree and can check and save uploaded
files there, does that make the situation substantially better?  Or is the
"PHP running as me" thing enough alone to raise some serious serious
problems (perhaps less around the image uploading but more around a login
page or something)?

As always, thank you so much for your help.

Andy

On 9/25/06, Richard Lynch <[EMAIL PROTECTED]> wrote:


On Sun, September 24, 2006 11:04 pm, Andy Hultgren wrote:
> I really appreciate your help with this.
>
> To answer your first question: when people surf to my site they see
> the
> stuff "next to" (outside) .public_html/, not anything within
> .public_html/.
> (Thanks by the way for explaining the .dirName invisibility thing,
> that's
> one confusing thing not to worry about anymore!)

Hmmm.

Okay, so you definitely do not have any space outside the webtree.

That's bad.

Anything you upload is stuck being available to the public, to some
degree. :-(

You *may* be able to utilize /tmp

See if you can write a short little script with http://php.net/tmpfile

This will give you and idea if you can stash things in /tmp, at least
until you can confirm that they are not Evil.

> To answer your second question: the "uploadedFiles/" directory is
> 0100, but
> not the file.  The uploaded file itself is 0640.

So your login is allowed to read files within the directory, but not
to list what's in the directory.

Your login and your group can read the file itself.

Your login can write the file as well.

See next question/answer.

> Third question: it runs as the same username I use to login to my
> server's
> ftp site.  This information wasn't in the output of the phpinfo()
> function
> (that I could find).  I did some searching on php.net and found this
> entry
> under the get_current_user() function (
> http://us3.php.net/manual/en/function.get-current-user.php, top user
> contributed note):
> **
> *to get the username of the process owner (rather than the file
> owner), you
> can use:
> ** $processUser = posix_getpwuid(posix_geteuid**());
> print $processUser['name'**];
> ?> *
> **
> I used this code to find out the user PHP runs as.  Is that what you
> were
> looking for?

Yes.

And since PHP runs as "you" with your login, it can do everything
listed above.

So you probably cannot surf to the DIRECTORY and get a listing (even
if DirectoryIndex is on) but if you know the name of the file in
advance, you can surf to it.

So if you want to make a file not readable, you have to chmod it so
that *YOU* cannot read it.

This will be a PITA because then you'll need to chmod it back any time
you want to mess with it.

As the owner of a file, you are allowed to chmod it so that you
yourself cannot read it -- kind of like locking it away in a safe --
and then you have to chmod it back to readable (open the safe) to read
it.

You still "own" the file, so you can always chmod it anywhich way you
want, at any time.

Running your

Re: [PHP] File Upload Security and chmod

2006-09-25 Thread tedd 

Andy:

It was never a question of speed for me -- it was a question of being 
able to change file permissions from within a php script so that I 
could create and write files safely.


You see, I am *not* able to use chmod() within a php script at all 
regardless of what permissions the file and parent folder have -- 
even when both are set to 0777. To do any permissions changing from 
within a php script I am forced to resort to a ftp connection as I 
previously described.


I can't even create a file, nor open a file for writing, without the 
parent folder having 0777 permissions. The only option I had was to 
set parent folders to 0777 and leave them that way, and I wasn't 
going to do that for security reasons.


Now, perhaps something is wrong with my server (or me) -- but -- I 
have more than one server and the same tests held true for all of 
them.


So, if you can chmod() and mkdir() from within your php script 
without establishing an ftp connection, then more power to you, 
because I can't. And that's the reason I use ftp_login. I thought 
that you had the same problem.


Now, perhaps I should RTFM again -- but -- I have read it and I have 
not found another method that works to change permissions other than 
to use ftp_logon.


I suspect that this problem may be pretty obvious to the gang, but I 
don't know if anyone cares to comment. Comments?


tedd

---

At 1:11 PM -0600 9/25/06, Andy Hultgren wrote:

Tedd,

Thanks so much your thorough response - it's good to know that I'm 
not the only one trying to figure this out!  I'm curious, in your 
code you use the PHP ftp functions, but I have used the 
PHP functions chmod() and mkdir() without establishing an ftp 
connection.  Is it faster to establish an ftp connection within PHP 
and then use the ftp series of functions to accomplish all of the 
directory creation and permissions changes?  If so, then I will 
probably change my code to follow yours.


Andy


On 9/25/06, tedd <[EMAIL PROTECTED]> wrote:

At 9:32 PM -0600 9/24/06, Andy Hultgren wrote:

Hi Tedd,

Yes, when I browse to  www.myDomain.com I 
get the index.html file, and so I

have been leaving the .public_html/ directory alone since it is not my
root.  I'm curious, what you described is exactly what I'm trying to do -
what permissions do you set the parent folder at when you are finished
uploading/saving/downloading/etc.?  I have my "uploaded_images/"
directory set at chmod 0100 and I can still browse to an uploaded image from
my file upload page...  Thanks for your response,



Andy:

I ran into the same problem trying to work with, and understand,
permissions on a virtual host. When I asked this gang about
permissions some time back, I received answers that ranged from RTFM
to calling me stupid for using 0777, but none answered my question.
No fault of the gang, I probably didn't ask the question correctly.
In any event, I felt too stupid to ask the question again, so I went
elsewhere looking for answers and eventually found something that
works for me.

Some consider me a novice, so I'll ask the gang to overview my
comments to make sure that I'm not guiding you down the wrong path.

As you know, the key to setting the permissions of a file depends
upon the permissions the parent folder. If the parent folder
permission is set to 0777, then we can change any files inside the
folder as we want. However, that also presents a major security hole
because then anyone can use that folder to upload and run evil code.

So, the key problem is how to alter parent folder permissions.

With virtual hosting, we can upload, manage, and set permissions as
we want via our FTP connection software. So, I thought perhaps php
had something like that and as such I discovered how to ftp connect
via php.

Now, not all php ftp_ are available to php 4, but you can
connect to your site and change permissions of folders, which is what
we actually need. So, if you want to do something with a file: then
change the folder permissions of the folder that holds it; do
whatever you want with the file; and then change the folder
permissions back to something safe.

You can also create new folders if you want using the command ftp_mkdir().

Note, the beginning of the ftp_paths are different than url paths we
would normally use to locate a file. For example:

An example web path:

http://www.yourdomain.com/rw/tmp/text.txt

An example symbolic link:

public_html/rw/tmp/text.txt

The following code will show you an example of how this works. Just
put in your own domain, user id, password, and correct paths and try
it out. Change the permissions in the code and watch how the file
permissions change.

Please let me know if this works for you -- watch for line breaks.

hth's

tedd

PS: I don't know what to say about your ".public_html/" directory,
but I would just leave it alone.

---

// how to call the function




// the function

Re: [PHP] File Upload Security and chmod

2006-09-25 Thread Eric Butera 

On 9/25/06, Andy Hultgren <[EMAIL PROTECTED]> wrote:


Tedd,

Thanks so much your thorough response - it's good to know that I'm not the
only one trying to figure this out!  I'm curious, in your code you use the
PHP ftp functions, but I have used the PHP functions chmod() and mkdir()
without establishing an ftp connection.  Is it faster to establish an ftp
connection within PHP and then use the ftp series of functions to
accomplish
all of the directory creation and permissions changes?  If so, then I will
probably change my code to follow yours.

Andy



By using FTP you can specify which user account you want the connection to
be established at.  When running a PHP script the script will be running by
the Apache server, which means it will have specific permission levels which
cannot create directories or chmod unless Apache owns the parent directory.
That is why Tedd went through all that trouble.

Re: [PHP] File Upload Security and chmod

2006-09-25 Thread Andy Hultgren 

Tedd,

Thanks so much your thorough response - it's good to know that I'm not the
only one trying to figure this out!  I'm curious, in your code you use the
PHP ftp functions, but I have used the PHP functions chmod() and mkdir()
without establishing an ftp connection.  Is it faster to establish an ftp
connection within PHP and then use the ftp series of functions to accomplish
all of the directory creation and permissions changes?  If so, then I will
probably change my code to follow yours.

Andy


On 9/25/06, tedd <[EMAIL PROTECTED]> wrote:


At 9:32 PM -0600 9/24/06, Andy Hultgren wrote:
>Hi Tedd,
>
>Yes, when I browse to www.myDomain.com I get the index.html file, and so
I
>have been leaving the .public_html/ directory alone since it is not my
>root.  I'm curious, what you described is exactly what I'm trying to do -
>what permissions do you set the parent folder at when you are finished
>uploading/saving/downloading/etc.?  I have my "uploaded_images/"
>directory set at chmod 0100 and I can still browse to an uploaded image
from
>my file upload page...  Thanks for your response,


Andy:

I ran into the same problem trying to work with, and understand,
permissions on a virtual host. When I asked this gang about
permissions some time back, I received answers that ranged from RTFM
to calling me stupid for using 0777, but none answered my question.
No fault of the gang, I probably didn't ask the question correctly.
In any event, I felt too stupid to ask the question again, so I went
elsewhere looking for answers and eventually found something that
works for me.

Some consider me a novice, so I'll ask the gang to overview my
comments to make sure that I'm not guiding you down the wrong path.

As you know, the key to setting the permissions of a file depends
upon the permissions the parent folder. If the parent folder
permission is set to 0777, then we can change any files inside the
folder as we want. However, that also presents a major security hole
because then anyone can use that folder to upload and run evil code.

So, the key problem is how to alter parent folder permissions.

With virtual hosting, we can upload, manage, and set permissions as
we want via our FTP connection software. So, I thought perhaps php
had something like that and as such I discovered how to ftp connect
via php.

Now, not all php ftp_ are available to php 4, but you can
connect to your site and change permissions of folders, which is what
we actually need. So, if you want to do something with a file: then
change the folder permissions of the folder that holds it; do
whatever you want with the file; and then change the folder
permissions back to something safe.

You can also create new folders if you want using the command ftp_mkdir().

Note, the beginning of the ftp_paths are different than url paths we
would normally use to locate a file. For example:

An example web path:

http://www.yourdomain.com/rw/tmp/text.txt

An example symbolic link:

public_html/rw/tmp/text.txt

The following code will show you an example of how this works. Just
put in your own domain, user id, password, and correct paths and try
it out. Change the permissions in the code and watch how the file
permissions change.

Please let me know if this works for you -- watch for line breaks.

hth's

tedd

PS: I don't know what to say about your ".public_html/" directory,
but I would just leave it alone.

---

// how to call the function




// the function

");
return false;
exit();
}
else
{
echo("Made connection");
ftp_chdir($connection, $path); // go to destination dir

echo("Change permission");
$str="CHMOD 0755 " . $theDir; // change permissions for dir (note the
space after 0775 )
ftp_site($connection, $str);
echo("$str");

$filename = "$theDir/$theFile";
$contents = "This is the contents of the file.";

echo("Writing file ");

$file = fopen( $filename, "w" );
fwrite( $file, $contents);
fclose( $file );
chmod($filename,0755);

echo("Change permission");
$str="CHMOD 0600 " . $theDir; // change permissions back for dir
ftp_site($connection, $str);
echo("$str");


echo("Close connection");
ftp_close($connection); // close connection
}

}
?>
--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-25 Thread tedd 

At 9:32 PM -0600 9/24/06, Andy Hultgren wrote:

Hi Tedd,

Yes, when I browse to www.myDomain.com I get the index.html file, and so I
have been leaving the .public_html/ directory alone since it is not my
root.  I'm curious, what you described is exactly what I'm trying to do -
what permissions do you set the parent folder at when you are finished
uploading/saving/downloading/etc.?  I have my "uploaded_images/"
directory set at chmod 0100 and I can still browse to an uploaded image from
my file upload page...  Thanks for your response,



Andy:

I ran into the same problem trying to work with, and understand, 
permissions on a virtual host. When I asked this gang about 
permissions some time back, I received answers that ranged from RTFM 
to calling me stupid for using 0777, but none answered my question. 
No fault of the gang, I probably didn't ask the question correctly. 
In any event, I felt too stupid to ask the question again, so I went 
elsewhere looking for answers and eventually found something that 
works for me.


Some consider me a novice, so I'll ask the gang to overview my 
comments to make sure that I'm not guiding you down the wrong path.


As you know, the key to setting the permissions of a file depends 
upon the permissions the parent folder. If the parent folder 
permission is set to 0777, then we can change any files inside the 
folder as we want. However, that also presents a major security hole 
because then anyone can use that folder to upload and run evil code.


So, the key problem is how to alter parent folder permissions.

With virtual hosting, we can upload, manage, and set permissions as 
we want via our FTP connection software. So, I thought perhaps php 
had something like that and as such I discovered how to ftp connect 
via php.


Now, not all php ftp_ are available to php 4, but you can 
connect to your site and change permissions of folders, which is what 
we actually need. So, if you want to do something with a file: then 
change the folder permissions of the folder that holds it; do 
whatever you want with the file; and then change the folder 
permissions back to something safe.


You can also create new folders if you want using the command ftp_mkdir().

Note, the beginning of the ftp_paths are different than url paths we 
would normally use to locate a file. For example:


An example web path:

http://www.yourdomain.com/rw/tmp/text.txt

An example symbolic link:

public_html/rw/tmp/text.txt

The following code will show you an example of how this works. Just 
put in your own domain, user id, password, and correct paths and try 
it out. Change the permissions in the code and watch how the file 
permissions change.


Please let me know if this works for you -- watch for line breaks.

hth's

tedd

PS: I don't know what to say about your ".public_html/" directory, 
but I would just leave it alone.


---

// how to call the function




// the function

");
return false;
exit();
}
else
{
echo("Made connection");
ftp_chdir($connection, $path); // go to destination dir

echo("Change permission");
$str="CHMOD 0755 " . $theDir; // change permissions for dir (note the 
space after 0775 )

ftp_site($connection, $str);
echo("$str");

$filename = "$theDir/$theFile";
$contents = "This is the contents of the file.";

echo("Writing file ");

$file = fopen( $filename, "w" );
fwrite( $file, $contents);
fclose( $file );
chmod($filename,0755);

echo("Change permission");
$str="CHMOD 0600 " . $theDir; // change permissions back for dir
ftp_site($connection, $str);
echo("$str");


echo("Close connection");
ftp_close($connection); // close connection
}

}
?>
--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-24 Thread Andy Hultgren 

Hi Tedd,

Yes, when I browse to www.myDomain.com I get the index.html file, and so I
have been leaving the .public_html/ directory alone since it is not my
root.  I'm curious, what you described is exactly what I'm trying to do -
what permissions do you set the parent folder at when you are finished
uploading/saving/downloading/etc.?  I have my "uploaded_images/"
directory set at chmod 0100 and I can still browse to an uploaded image from
my file upload page...  Thanks for your response,

Andy


On 9/23/06, tedd <[EMAIL PROTECTED]> wrote:


At 7:19 PM -0600 9/22/06, Andy Hultgren wrote:
>For whatever reason when I ftp in using WinFtp I don't see public_html
>(it's hidden, don't know why; if I make a directory called
>".public_html" it gets created and then disappears), but I can see my
>file structure from my host's website and so I know that when I ftp in
>to myDomain.com this is what is "there":
>
>index.htm
>page1.htm
>page2.htm
>.public_html/
>images/
>etc. etc.

Andy:

Sorry, I didn't catch all of the thread, but this is my drift.

When you access your site (http://yourdomain.com) via a browser, do
you see the above index.htm?

If so, and you want to stay with that host, then leave the
.public_html/ folder alone, and build your site using WinFTP, or
whatever.

If you want to change permissions for a file from within a php
script, then ftp into your site (using ftp_login), change the parent
folder permissions, do your file thing (upload, delete, save, etc.),
and then change the parent folder permissions back and it's done.

At least that's the way I do it working on a shared host and it works for
me.

tedd

--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

Re: [PHP] File Upload Security and chmod

2006-09-23 Thread tedd 

At 7:19 PM -0600 9/22/06, Andy Hultgren wrote:

For whatever reason when I ftp in using WinFtp I don't see public_html
(it's hidden, don't know why; if I make a directory called
".public_html" it gets created and then disappears), but I can see my
file structure from my host's website and so I know that when I ftp in
to myDomain.com this is what is "there":

index.htm
page1.htm
page2.htm
.public_html/
images/
etc. etc.


Andy:

Sorry, I didn't catch all of the thread, but this is my drift.

When you access your site (http://yourdomain.com) via a browser, do 
you see the above index.htm?


If so, and you want to stay with that host, then leave the 
.public_html/ folder alone, and build your site using WinFTP, or 
whatever.


If you want to change permissions for a file from within a php 
script, then ftp into your site (using ftp_login), change the parent 
folder permissions, do your file thing (upload, delete, save, etc.), 
and then change the parent folder permissions back and it's done.


At least that's the way I do it working on a shared host and it works for me.

tedd

--
---
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-23 Thread Børge Holen 
On Saturday 23 September 2006 01:27, you wrote:
> Hi Borge,
>
> host/users/myDomain is the actual directory (and it's the root
> directory), and I do not have access to higher directories.  So
> basically I do not have access to directories higher than my root
> directory, which is unfortunate.  Also, the way the server is setup
> that I am on, I do not have access to the server's tmp file (it is not
> shared), I have my own tmp file in my root directory that I use.  I
> don't know of any other system-wide read/write directory available
> either.  I'd be putting a lot of data there too (customer uploaded
> images) so I really should save them somewhere in my directory and not
> in the common server space.
>
> You can start to see my bind... :(  Any thoughts greatly appreciated!
>
> Andy

Sounds like cheap b-one hosting of sorts...
thoughts? yes dont use it... Yer site will probably quickly become a playing 
ground for other than yerself. A file have to stay inside a quarantined area 
for a sanity check before let loose on the system.
Probably the cache of the browser ... for the I can see the page stuff. dunno.

But as I said: Change yer hosting, to something useable and safe.

>
> On 9/22/06, Børge Holen <[EMAIL PROTECTED]> wrote:
> > On Friday 22 September 2006 22:58, Andy Hultgren wrote:
> > > Hi,
> > > I am relatively new to php and am trying to set up a file upload
> > > process for my website.  I have read through the php security
> > > documentation and a number of the security-related questions on these
> > > lists and am attempting to implement as many of the measures as
> > > possible.
> > > One of the suggestions I have read is to have the uploaded files saved
> > > somewhere outside of your root directory.  Unfortunately I cannot do
> > > that as my root directory is simply www.myDomain.com and not
> > > ".public_html/" and I am on a shared server where my root cannot be
> > > changed (I have already asked).  So, I am trying to keep the
> > > permissions on my "saved_files" folder as tight as possible except
> > > when the actual upload occurs.  I this as follows:
> > >
> > > 1) The actual file upload comes through Flash8, and when the user
> > > uploads a file it is sent to
> > > www.domain.com/flash8directory/upload.php, which is in the same
> > > directory as the Flash8 upload application.
> > > 2) upload.php first chmod 0740 the "saved_files" folder (which is
> > > located at www.domain.com/flash8directory/saved_files/).  Then it does
> > > security checks to make sure an appropriate image has been uploaded,
> > > and if everything looks good it moves the uploaded file to
> > > "saved_files".
> > > 3) The Flash8 upload application is notified of the completion of the
> > > upload and downloads the new image it its viewer.
> > > 4) Once the download is complete and Flash8 no longer needs to work
> > > with the file, the Flash8 application notifies a separate php script
> > > by sending the variable "complete=1" to lockdown.php (located at
> > > www.domain.com/flash8directory/lockdown.php), which runs the following
> > > simple script:
> > >
> > >  > >
> > > $success = 0;
> > > $complete = $_POST['complete'];
> > >
> > > if ($complete==1) {
> > >   if(chmod("./saved_files", 0100)) {
> > >  success = yes;
> > >   echo "success=yes";
> > >   }
> > > }
> > > ?>
> > >
> > > This script works and "saved_files" is set to chmod 0100, but here is
> > > the problem.  If I then navigate directly to the url of the uploaded
> > > file by entering its path in my
> > > browser(www.domain.com/flash8directory/saved_files/uploadedFile.jpg),
> > > the uploaded file appears in my browser!  However, if I then refresh
> > > the browser I get the desired error message saying I do not have
> > > permission to access that file.  Also, other browser windows never
> > > have access to view the uploaded file, only the browser from which the
> > > file was uploaded.
> > >
> > > Any thoughts on why I can view the uploaded file even though it has
> > > been set to chmod 0100?  I'd really rather not have those files
> > > accessible to anyone, as an extra security layer.
> > >
> > > Thank you for your help!
> > >
> > > Andy
> >
> > I don't quite understand why you cannot save to another catalog.
> > is  www.myDomain.com yer actual directory name of merely the domain?
> > If either, login to yer domain and simply go either one step up, is that
> > possible?
> > You can also make use of a .htaccess file inside a sub directory to keep
> > others from it till you have checked the file, then move it out in the
> > open or delete after specifications.
> >
> > Do you have access to /tmp ? That one is possible to use, in fact any
> > system wide directory writable by any/you is usable.
> >
> > --
> > ---
> > Børge
> > Kennel Arivene
> > http://www.arivene.net
> > ---
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php

--

Re: [PHP] File Upload Security and chmod

2006-09-22 Thread Andy Hultgren 

For whatever reason when I ftp in using WinFtp I don't see public_html
(it's hidden, don't know why; if I make a directory called
".public_html" it gets created and then disappears), but I can see my
file structure from my host's website and so I know that when I ftp in
to myDomain.com this is what is "there":

index.htm
page1.htm
page2.htm
.public_html/
images/
etc. etc.

Currently nothing is stored in my .public_html directory since it is
not my root (and my website loads just fine when browsed to).

I don't ftp in from DreamWeaver and it isn't an issue of going
straight to public_html just to skip the cd step.  public_html just
isn't set up as my root directory and I have no directories accessable
that are higher than my root.

So, since I have no access to directories outside of my root, do you
really think I should change that before allowing file uploads?
(either by changing servers or just bugging my server adminstrator
until he changes it).  I currently check extension type and then image
type using get_image_size(); and also files with image extensions are
not executable on the server.  However, from what I've read I
understand that those steps are the minimum in terms of file upload
security.

Also, I'd be curious still to hear why I can browse to a file in a
directory that has been set with chmod 0100.  I really didn't expect
that.

Thanks again very much for your thoughts,

Andy


On 9/22/06, Richard Lynch <[EMAIL PROTECTED]> wrote:



I may have hit "send" too soon...

Like, when you do FTP, do you see:

index.htm
page2.htm
page3.htm

right away?

*OR*, do you see:
public_html

And then you do "cd public_html" and THEN you see the files?

If you don't do "cd public_html" then I really don't think accepting
file uploads is a Good Idea, unless you have access to /tmp or
something to put the files in...

If you do "cd public_html" then you actually HAVE space outside your
webtree.  Just do "mkdir uploads" and "chmod 777 uploads" *BEFORE* you
do "cd public_html" and you'll have an uploads dir outside the webtree
where you can put stuff.

NOTE:
Some fancy FTP tools like DreamWeaver and whatnot will convince you to
put "public_html" into some input box somewhere, to give you the
convenience of not needing to "cd public_html" -- which then means you
never *SEE* that you have space outside your webtree...  Stop doing
that.  An extra click or whatever to get into public_html is not that
big of a deal.

On Fri, September 22, 2006 7:21 pm, Andy Hultgren wrote:
> So pretty much there's nothing to be done about it?  If I can get the
> chmod thing to make it so that you can't surf to your uploaded image
> afterwards and view it, I'd be happy with that solution.  I'd like to
> stick with this host if I could.
>
> On 9/22/06, Richard Lynch <[EMAIL PROTECTED]> wrote:
>> On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote:
>> > that as my root directory is simply www.myDomain.com and not
>> > ".public_html/" and I am on a shared server where my root cannot
>> be
>>
>> I got two words for you:
>>
>> Change Hosts
>>
>> --
>> Like Music?
>> http://l-i-e.com/artists.htm
>>
>>
>>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


--
Like Music?
http://l-i-e.com/artists.htm





--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-22 Thread Richard Lynch 


I may have hit "send" too soon...

Like, when you do FTP, do you see:

index.htm
page2.htm
page3.htm

right away?

*OR*, do you see:
public_html

And then you do "cd public_html" and THEN you see the files?

If you don't do "cd public_html" then I really don't think accepting
file uploads is a Good Idea, unless you have access to /tmp or
something to put the files in...

If you do "cd public_html" then you actually HAVE space outside your
webtree.  Just do "mkdir uploads" and "chmod 777 uploads" *BEFORE* you
do "cd public_html" and you'll have an uploads dir outside the webtree
where you can put stuff.

NOTE:
Some fancy FTP tools like DreamWeaver and whatnot will convince you to
put "public_html" into some input box somewhere, to give you the
convenience of not needing to "cd public_html" -- which then means you
never *SEE* that you have space outside your webtree...  Stop doing
that.  An extra click or whatever to get into public_html is not that
big of a deal.

On Fri, September 22, 2006 7:21 pm, Andy Hultgren wrote:
> So pretty much there's nothing to be done about it?  If I can get the
> chmod thing to make it so that you can't surf to your uploaded image
> afterwards and view it, I'd be happy with that solution.  I'd like to
> stick with this host if I could.
>
> On 9/22/06, Richard Lynch <[EMAIL PROTECTED]> wrote:
>> On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote:
>> > that as my root directory is simply www.myDomain.com and not
>> > ".public_html/" and I am on a shared server where my root cannot
>> be
>>
>> I got two words for you:
>>
>> Change Hosts
>>
>> --
>> Like Music?
>> http://l-i-e.com/artists.htm
>>
>>
>>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>


-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-22 Thread Andy Hultgren 

So pretty much there's nothing to be done about it?  If I can get the
chmod thing to make it so that you can't surf to your uploaded image
afterwards and view it, I'd be happy with that solution.  I'd like to
stick with this host if I could.

On 9/22/06, Richard Lynch <[EMAIL PROTECTED]> wrote:

On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote:
> that as my root directory is simply www.myDomain.com and not
> ".public_html/" and I am on a shared server where my root cannot be

I got two words for you:

Change Hosts

--
Like Music?
http://l-i-e.com/artists.htm





--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-22 Thread Richard Lynch 
On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote:
> that as my root directory is simply www.myDomain.com and not
> ".public_html/" and I am on a shared server where my root cannot be

I got two words for you:

Change Hosts

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File Upload Security and chmod

2006-09-22 Thread Børge Holen 
On Friday 22 September 2006 22:58, Andy Hultgren wrote:
> Hi,
> I am relatively new to php and am trying to set up a file upload
> process for my website.  I have read through the php security
> documentation and a number of the security-related questions on these
> lists and am attempting to implement as many of the measures as
> possible.
> One of the suggestions I have read is to have the uploaded files saved
> somewhere outside of your root directory.  Unfortunately I cannot do
> that as my root directory is simply www.myDomain.com and not
> ".public_html/" and I am on a shared server where my root cannot be
> changed (I have already asked).  So, I am trying to keep the
> permissions on my "saved_files" folder as tight as possible except
> when the actual upload occurs.  I this as follows:
>
> 1) The actual file upload comes through Flash8, and when the user
> uploads a file it is sent to
> www.domain.com/flash8directory/upload.php, which is in the same
> directory as the Flash8 upload application.
> 2) upload.php first chmod 0740 the "saved_files" folder (which is
> located at www.domain.com/flash8directory/saved_files/).  Then it does
> security checks to make sure an appropriate image has been uploaded,
> and if everything looks good it moves the uploaded file to
> "saved_files".
> 3) The Flash8 upload application is notified of the completion of the
> upload and downloads the new image it its viewer.
> 4) Once the download is complete and Flash8 no longer needs to work
> with the file, the Flash8 application notifies a separate php script
> by sending the variable "complete=1" to lockdown.php (located at
> www.domain.com/flash8directory/lockdown.php), which runs the following
> simple script:
>
> 
> $success = 0;
> $complete = $_POST['complete'];
>
> if ($complete==1) {
>   if(chmod("./saved_files", 0100)) {
>  success = yes;
>   echo "success=yes";
>   }
> }
> ?>
>
> This script works and "saved_files" is set to chmod 0100, but here is
> the problem.  If I then navigate directly to the url of the uploaded
> file by entering its path in my
> browser(www.domain.com/flash8directory/saved_files/uploadedFile.jpg),
> the uploaded file appears in my browser!  However, if I then refresh
> the browser I get the desired error message saying I do not have
> permission to access that file.  Also, other browser windows never
> have access to view the uploaded file, only the browser from which the
> file was uploaded.
>
> Any thoughts on why I can view the uploaded file even though it has
> been set to chmod 0100?  I'd really rather not have those files
> accessible to anyone, as an extra security layer.
>
> Thank you for your help!
>
> Andy

I don't quite understand why you cannot save to another catalog.
is  www.myDomain.com yer actual directory name of merely the domain?
If either, login to yer domain and simply go either one step up, is that 
possible? 
You can also make use of a .htaccess file inside a sub directory to keep 
others from it till you have checked the file, then move it out in the open 
or delete after specifications.

Do you have access to /tmp ? That one is possible to use, in fact any system 
wide directory writable by any/you is usable.

-- 
---
Børge
Kennel Arivene 
http://www.arivene.net
---

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file Upload - checking file size before uploading

2006-05-10 Thread Wolf 
True, but it checks it at the first attempt to upload, not when the file
is done or partially uploaded.  Granted, not what the OP asked for
exactly, but better then what he has now and better then spending more
time looking...

Wolf

Chris wrote:
> Wolf wrote:
>> In your form uploading script:
>> # individual file size limit - in bytes (102400 bytes = 100KB)
>> $file_size_ind = "838860800"; // 819.2 MB
>>
>>
>> $weight=$_FILES[fileupload][size];
>>
>> if ($weight>$file_size_ind)
>> {
>>  echo"> height=\"15\"> ERROR: please get the file size
>> less than ".$file_size_ind." BYTES  (".round(($file_size_ind/1024),2)."
>> KB)»back";
>> }
> 
> That has already attempted to upload the file to the server.. which is
> what the OP didn't want.
> 
> Would be handy to be able to do this but *shrug*..
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file Upload - checking file size before uploading

2006-05-10 Thread Chris 

Wolf wrote:

In your form uploading script:
# individual file size limit - in bytes (102400 bytes = 100KB)
$file_size_ind = "838860800"; // 819.2 MB


$weight=$_FILES[fileupload][size];

if ($weight>$file_size_ind)
{
 echo" ERROR: please get the file size
less than ".$file_size_ind." BYTES  (".round(($file_size_ind/1024),2)."
KB)»back";
}


That has already attempted to upload the file to the server.. which is 
what the OP didn't want.


Would be handy to be able to do this but *shrug*..

--
Postgresql & php tutorials
http://www.designmagick.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file Upload - checking file size before uploading

2006-05-10 Thread Wolf 
In your form uploading script:
# individual file size limit - in bytes (102400 bytes = 100KB)
$file_size_ind = "838860800"; // 819.2 MB


$weight=$_FILES[fileupload][size];

if ($weight>$file_size_ind)
{
 echo" ERROR: please get the file size
less than ".$file_size_ind." BYTES  (".round(($file_size_ind/1024),2)."
KB)»back";
}


James Nunnerley wrote:
> Is there anyway to check the size of a file before it starts uploading it?
> For instance, if the file is huge, and takes ages to upload, and is then
> rejected by the server, the user will be somewhat annoyed!
> 
>  
> 
> I'm not even sure this is a php question!
> 
>  
> 
> Cheers
> 
> Nunners
> 
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file Upload - checking file size before uploading

2006-05-10 Thread Richard Lynch 
On Wed, May 10, 2006 11:09 am, Phillip S. Baker wrote:
> James Nunnerley wrote:
> However you can set the max file size within the  tag of HTML.
> I forget the proper snytax and tag off the top of my head.
> I am not sure the error it spits out as I have never tested that.
> you can also use javascript or the like to check the file size.

AFAIK, the browsers never did get around to using this to do anything
useful with it...

It is a weird sort of check, from those halcyon days when users didn't
do things like hack POST data to try and break your server...

So, pretty much, it's a useless bit of cruft, really.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file Upload - checking file size before uploading

2006-05-10 Thread Jochem Maas 

Jay Blanchard wrote:

[snip]
Is there anyway to check the size of a file before it starts uploading
it?
For instance, if the file is huge, and takes ages to upload, and is then
rejected by the server, the user will be somewhat annoyed!
[/snip]

PHP is server-side and cannot check anything client-side. You cold use
something client-side, like JavaScript, to check the file size and then
deliver a warning if the file is too large.


please, how do you do that with javascript - given the sandbox that javascript
runs in which doesn't allow access to the file system (IE security bugs and v.
special browser settings not with standing)?





--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file Upload - checking file size before uploading

2006-05-10 Thread Phillip S. Baker 

James Nunnerley wrote:

Is there anyway to check the size of a file before it starts uploading it?
For instance, if the file is huge, and takes ages to upload, and is then
rejected by the server, the user will be somewhat annoyed!

 


I'm not even sure this is a php question!


Nope not a PHP question.
However you can set the max file size within the  tag of HTML.
I forget the proper snytax and tag off the top of my head.
I am not sure the error it spits out as I have never tested that.
you can also use javascript or the like to check the file size.

Bless Be

Phillip

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file Upload - checking file size before uploading

2006-05-10 Thread Duncan Hill 
On Wednesday 10 May 2006 13:39, Jay Blanchard wrote:
> [snip]
> Is there anyway to check the size of a file before it starts uploading
> it?
> For instance, if the file is huge, and takes ages to upload, and is then
> rejected by the server, the user will be somewhat annoyed!
> [/snip]
>
> PHP is server-side and cannot check anything client-side. You cold use
> something client-side, like JavaScript, to check the file size and then
> deliver a warning if the file is too large.

Alternately ... "This service only accepts files up to 10 MB.  Uploading 
anything larger will fail."

Assumes comprehension unfortunately.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] file Upload - checking file size before uploading

2006-05-10 Thread Jay Blanchard 
[snip]
Is there anyway to check the size of a file before it starts uploading
it?
For instance, if the file is huge, and takes ages to upload, and is then
rejected by the server, the user will be somewhat annoyed!
[/snip]

PHP is server-side and cannot check anything client-side. You cold use
something client-side, like JavaScript, to check the file size and then
deliver a warning if the file is too large.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file Upload - checking file size before uploading

2006-05-10 Thread Barry 

James Nunnerley schrieb:

Is there anyway to check the size of a file before it starts uploading it?
For instance, if the file is huge, and takes ages to upload, and is then
rejected by the server, the user will be somewhat annoyed!

 


I'm not even sure this is a php question!


No you can't.
Not with PHP.

--
Smileys rule (cX.x)C --o(^_^o)
Dance for me! ^(^_^)o (o^_^)o o(^_^)^ o(^_^o)

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload

2005-04-04 Thread Robby Russell 
On Mon, 2005-04-04 at 17:07 +0300, William Stokes wrote:
> Hello,
> I might have asked this already but I am still ignorent ;-)
> 
> How to check if a same name file already exists in a upload directory when 
> uploading new file?
> 
> Thanks
> -Will 
> 

http://www.php.net/file_exists

-Robby

-- 
/***
* Robby Russell | Owner.Developer.Geek
* PLANET ARGON  | www.planetargon.com
* Portland, OR  | [EMAIL PROTECTED]
* 503.351.4730  | blog.planetargon.com
* PHP, Ruby, and PostgreSQL Development
* http://www.robbyonrails.com/
/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: [PHP] file upload

2005-04-04 Thread Mike 
> How to check if a same name file already exists in a upload 
> directory when uploading new file?
> 

Use the file_exists() function (oddly named, I know).

http://us4.php.net/manual/en/function.file-exists.php

-M 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload

2005-04-04 Thread Larry E . Ullman 
I might have asked this already but I am still ignorent ;-)
How to check if a same name file already exists in a upload directory 
when
uploading new file?
Use the appropriately named file_exists() function.
L.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload

2005-03-28 Thread Burhan Khalid 
William Stokes wrote:
Okl I can't reverse engineer that...
I just need to know how to set the path.
now I have it like this and it wont work. $fileame comes from a form.
if (copy($filename, "/imagedir/" . $filename_name))
   print "upload succesful!";
Don't use copy(), use move_uploaded_file()
See http://www.php.net/manual/en/features.file-upload.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload

2005-03-24 Thread William Stokes 
Never mind. I got that sorted out! Thanks anyway...
-Will

"William Stokes" <[EMAIL PROTECTED]> kirjoitti 
viestissä:[EMAIL PROTECTED]
> Okl I can't reverse engineer that...
>
> I just need to know how to set the path.
> now I have it like this and it wont work. $fileame comes from a form.
>
> if (copy($filename, "/imagedir/" . $filename_name))
>   print "upload succesful!";
>
>
> "Tristan Pretty" <[EMAIL PROTECTED]> kirjoitti 
> viestissä:[EMAIL PROTECTED]
>> http://www.hotscripts.com/Detailed/24113.html
>> take a look at this.. perhaps you can reverse engineer it
>>
>>
>>
>>
>>
>> "William Stokes" <[EMAIL PROTECTED]>
>> 24/03/2005 09:18
>>
>> To
>> php-general@lists.php.net
>> cc
>>
>> Subject
>> [PHP] file upload
>>
>>
>>
>>
>>
>>
>> Hello,
>>
>> I'm (slowly) learning how to make a file upload stuff with php. Now I
>> would
>> like to know how to define the servers upload directory in the code?
>>
>> For example I have the upload script in folder /www in the www.domain.com
>> server and I want upload the files to /www/uploads folder. So how do 
>> write
>>
>> the  path in the php script?
>>
>> Thanks
>> -Will
>>
>> -- 
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload

2005-03-24 Thread William Stokes 
Okl I can't reverse engineer that...

I just need to know how to set the path.
now I have it like this and it wont work. $fileame comes from a form.

if (copy($filename, "/imagedir/" . $filename_name))
   print "upload succesful!";


"Tristan Pretty" <[EMAIL PROTECTED]> kirjoitti 
viestissä:[EMAIL PROTECTED]
> http://www.hotscripts.com/Detailed/24113.html
> take a look at this.. perhaps you can reverse engineer it
>
>
>
>
>
> "William Stokes" <[EMAIL PROTECTED]>
> 24/03/2005 09:18
>
> To
> php-general@lists.php.net
> cc
>
> Subject
> [PHP] file upload
>
>
>
>
>
>
> Hello,
>
> I'm (slowly) learning how to make a file upload stuff with php. Now I
> would
> like to know how to define the servers upload directory in the code?
>
> For example I have the upload script in folder /www in the www.domain.com
> server and I want upload the files to /www/uploads folder. So how do write
>
> the  path in the php script?
>
> Thanks
> -Will
>
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload

2005-03-24 Thread Tristan . Pretty 
http://www.hotscripts.com/Detailed/24113.html
take a look at this.. perhaps you can reverse engineer it





"William Stokes" <[EMAIL PROTECTED]> 
24/03/2005 09:18

To
php-general@lists.php.net
cc

Subject
[PHP] file upload






Hello,

I'm (slowly) learning how to make a file upload stuff with php. Now I 
would 
like to know how to define the servers upload directory in the code?

For example I have the upload script in folder /www in the www.domain.com 
server and I want upload the files to /www/uploads folder. So how do write 

the  path in the php script?

Thanks
-Will

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File upload, suid directory and temporary dir

2005-02-11 Thread Richard Lynch 
ADNET Ghislain wrote:
> upload_tmp_dir/www/htdocs/upload  /no value/
   ^^^
  /
 /
*THIS* is the one that matters -+

Somehow, you are OVER-RIDING your php.ini in either .htaccess or your PHP
source to set this upload_tmp_dir to a blank, or an invalid directory
or...

Or, perhaps, your suid bit setting is making PHP nervous, and it's
deciding to not use that directory, so then it reverts to the default when
you do the upload.

So PHP is reading the php.ini, setting the value, then over-riding it
somewhere/somehow "locally" in an .htaccess or something.

Hope that helps.`

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File upload, suid directory and temporary dir

2005-02-09 Thread Richard Lynch 
ADNET Ghislain wrote:
>   I am trying to make upload files to belong to the ftp user of the
> website and not the apache user.
>
>   As i run in module i tried to do this:
>
> 1/ create a temp dir on the website outside the documentroot,  chown the
> temp dir to my ftp user and allow the group to write,, put the same
> group as the webserver on the tmp dir too.
>
> 2/  then chmod u+s it (so with suid on the directory)   and at the end
> i  put my upload_tmp_dir setting to this directory.
>
> I was quite sure it would solve the issue BUT ... (there is allway a
> BUT... ;)
>
> when i run the simple script at php.net it gives me this output :
>
> --
>
> File is valid, and was successfully uploaded.
> Here is some more debugging info:Array
> (
> [userfile] => Array
> (
> [name] => afnic-adherent-200x80.gif
> [type] => image/gif
> [tmp_name] => /var/tmp/php2L6xR7
> [error] => 0
> [size] => 17710
> )
>
> )
>
> 
>
> You see :
>
> [tmp_name] => /var/tmp/php2L6xR7
>
> and the file belong to the apache user... not the ftp one :(
>
> So really i wonder if anyone found a solution to this problem, or can
> explain me why this setup fails ?

Apache was still the user that created the file, and therefore it will
belong to Apache until somebody does a 'chown' on the file.

Only the superuser can 'chown' a file.

Thus, you will need a sudo script of some kind to do the chown, or some
way to let the FTP user create the file, then the Apache user's data to go
in it.

So, some options:

1. Write a cron job as root to "chown ftp:ftp /var/tmp/php*"
This has the severe down-side of maybe someday changing stuff you *WANT*
to be owned by Apache.

2. Let Apache move the files somewhere else, like, say:
/var/to_ftp/
and then do #1 above.

3. When a file is uploaded, have PHP be able to execute a shell command
that has the FTP user create a temp file, writable by Apache, and then
Apache can copy its temp file to the FTP temp file by doing
fopen/fwrite/fclose.  It will still be owned by FTP user, but Apache can
fill it up with whatever data it wants.  You should add some serious
sanity checking on the data when you READ these files, however, if you
have untrusted users on the system. Or a routine audit/sweep of all these
files to be SURE they are kosher, or...

4. Provide a shell script which allows the Apache user to chown *ONLY*
files within /var/tmp, and *ONLY* files that start with 'php' and then
Apache can chown the files to the FTP user.  Don't give Apache free rein
to chown any old file it wants! [shudder]

5. Easiest: Let Apache move_uploaded_file somewhere, and make it readable
by FTP user.  Have FTP user copy over files from the Apache storage space.
 When the FTP user creates the new file, it will be owned by the FTP user.
 Again, you want to put some controls/checks on this to be sure it's not
abused.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File upload difference between browsers

2005-02-01 Thread Marek Kilimajer 
Graham Cossey wrote:
I have a problem uploading a file in IE6 or Firefox1.0 but it works
fine using Opera7.54.
The problem is that I want to ensure that the file being uploaded is a
CSV file, so I test the $_FILES['file']['type'] value.
In Firefox & IE it is returned as "application/octet-stream" but in
Opera it is returned as "text/comma-separated-values", the latter
being what I would expect.
The posting form has: enctype="multipart/form-data"
Can anyone offer some advice on how I can reliably test for a valid CSV file?
(At least I have some security built-in, in so much as you have to use
Opera to upload files !!)
In Mozilla, you can go to Preferences -> Naviator -> Helper 
Applications. Then click "New Type", fill in MIME type, description and 
extension, and that should be it. And then ask everyone to do that :)

Or better don't rely on client supplied values. You can use
mime_content_type() to find out the real mime type.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] File upload difference between browsers

2005-02-01 Thread Richard Lynch 
Graham Cossey wrote:
> The problem is that I want to ensure that the file being uploaded is a
> CSV file, so I test the $_FILES['file']['type'] value.

That only ensures that somebody else can forge the type header being sent
to you.

Anybody with half a clue (okay, a clue and a half) could do that:

telnet example.com 80
POST /your_form.php HTTP/1.1
Host: example.com
Content-type: text/comma-separated-values

INSERT FAVORITE TROJAN WORM HERE


So it's pretty useless as a security measure...

> In Firefox & IE it is returned as "application/octet-stream" but in
> Opera it is returned as "text/comma-separated-values", the latter
> being what I would expect.

Plus, as you have discovered, the browser manufacturers have absolutely no
concept of "standards" when it comes to setting Content-type: on an
uploaded file.

> Can anyone offer some advice on how I can reliably test for a valid CSV
> file?

Actually, you're very lucky on this one, in that you can use
http://php.net/fgetcsv on it, repeatedly, and either PHP has an error, or
PHP doesn't, and then you KNOW it parses as a valid CSV file, from
beginning to end.

So, what you *MIGHT* do would be something like this:



You may not be able to READ $_FILE['file']['tmpname'], so you'd have to
move_uploaded_file() it to a staging area first, and then read that.

You might want to play around with the error_reporting setting a bit, and
a bunch of CSV test files from different sources.

You may want to rule that ANY output (strlen($php_output)) is indicative
of an error, rather than checking for 'Error' 'Warning' 'Notice' as I
did... In fact, that would probably be better.

If the files might be large, you may want to cache the CSV data you read,
and then you can use it later in your script, after you've read the whole
thing in and you know it's kosher...  Course, if it's REALLY large, you'll
want to cache that in something like a temp table in MySQL or something,
just so you won't fill up RAM with some monster Array in PHP...

For a small CSV file, it really won't matter that much if you read it
twice -- It will probably be in the File System cache for you anyway,
depending on server load.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload error

2005-02-01 Thread Richard Lynch 
Tom wrote:
> Thanks for the replies. My manual was out of date, not that it would
> have made any difference to this anyway as .
> upload_tmp_dir variable was correctly set in the php.ini file, and I'd
> restarted the web server several times. It seems however that the file
> is getting cached somehow, and is not re-read until I restart the entire
> box. Anyone out there know why this may be, or a slightly better way of
> getting around it than rebooting?
> (By the way, the upload functionality is fine after the reboot :))

Several possibilities here...

First, you can ERADICATE the idea that the file was getting cached, at
least by Apache or PHP.  Maybe you've got something really funky in your
file-system to cache it, but that's also incredibly unlikely.

On to the possible scenarios:

1. You only *THOUGHT* you re-started Apache, but the script you use to
stop/start Apache, or Apache itself, failed to inform you that it didn't
stop and then start correctly.

2. You *DID* re-start Apache, but the script you used is telling Apache to
read a DIFFERENT httpd.conf from the one that gets read by your boot
processing script (/etc/rc.init/[apache|httpd] probably, on Linux).  That
different httpd.conf, in turn, points to a DIFFERENT php.ini and/or
mod_php.so getting loaded, so the php.ini you *thought* was getting
re-loaded when you restarted Apache, was not the one really getting
loaded.

You can easily confirm/deny #2 by looking at  after a
re-boot, then re-starting Apache, then looking at 
again.  The same php.ini file should be listed near the top in both cases,
or you'll quickly find out which php.ini file[s] are being read.

For #1, you can try your Apache re-start again, and use
http://localhost/server-status (or is that server_status) to see Apache's
up-time, if you have mod_status installed.  Or you could use "ps auxwww |
grep httpd" to see how long Apache has been runing.  Or maybe use "top" to
find out if you really really re-started Apache.

Hopefully, this is a development machine so you can re-start and re-boot
as needed to track down what is or isn't happening.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload error

2005-02-01 Thread Tom 
Thanks for the replies. My manual was out of date, not that it would 
have made any difference to this anyway as .
upload_tmp_dir variable was correctly set in the php.ini file, and I'd 
restarted the web server several times. It seems however that the file 
is getting cached somehow, and is not re-read until I restart the entire 
box. Anyone out there know why this may be, or a slightly better way of 
getting around it than rebooting?
(By the way, the upload functionality is fine after the reboot :))

Ta
Tom
Marek Kilimajer wrote:
Tom wrote:
Hi
I have a very simple file upload form and script to handle it (copied 
verbatim from the php manual, except for the file target location and 
the script name).
However, it always fails, with an error code in the _FILE array or 6.
Does anyone know what this error is or what I am likely to have set 
wrong? All that I can find in the docs are errors from 0 to 4 :-(

It's there:
http://sk.php.net/manual/en/features.file-upload.errors.php
UPLOAD_ERR_NO_TMP_DIR
Value: 6; Missing a temporary folder. Introduced in PHP 4.3.10 and 
PHP 5.0.3.

Note: These became PHP constants in PHP 4.3.0.
Set the correct upload_tmp_dir in php.ini and restart webserver
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload error

2005-01-31 Thread Marek Kilimajer 
Tom wrote:
Hi
I have a very simple file upload form and script to handle it (copied 
verbatim from the php manual, except for the file target location and 
the script name).
However, it always fails, with an error code in the _FILE array or 6.
Does anyone know what this error is or what I am likely to have set 
wrong? All that I can find in the docs are errors from 0 to 4 :-(
It's there:
http://sk.php.net/manual/en/features.file-upload.errors.php
UPLOAD_ERR_NO_TMP_DIR
Value: 6; Missing a temporary folder. Introduced in PHP 4.3.10 and 
PHP 5.0.3.

Note: These became PHP constants in PHP 4.3.0.
Set the correct upload_tmp_dir in php.ini and restart webserver
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload

2005-01-20 Thread anirudh dutt 
On Thu, 20 Jan 2005 13:30:35 +0100, M. Sokolewicz <[EMAIL PROTECTED]> wrote:
> what you're doing is server => server
> What the akshay wants is server => client
> The only not yet posted other options are client => client (which is
> essentially impossible with PHP, unless you use the server=>server
> setup) and client => server (which is called uploading)

right. i assumed he wanted to do something like get a file from
another server and then send/display it to the client (news picker for
a feed or comic strip ripper).

if the file is on the same server, then a simple download would do ;-)
or if the script's gonna generate data dynamically, then it would have
to send the Content-Disposition, Pragma, etc. headers.

@akshay: the headers to be sent differ for normal browsers and IE.

anirudh

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload

2005-01-20 Thread M. Sokolewicz 
Anirudh Dutt wrote:
On Thu, 20 Jan 2005 12:26:07 +0100, Marek Kilimajer <[EMAIL PROTECTED]> wrote:
akshay wrote:
Hi all,
I hv problem while file upload.
I hv one server and multiple client.
I want to upload a file from Server to client.
how this is possible in PHP
This is usualy called download. Is this what you want?

yeah. if that's what u're trying, check out the manual page on
fsockopen: http://php.net/function.fsockopen
the first example will give u an idea of what to do.
[code]
\n";
} else {
   $out = "GET / HTTP/1.1\r\n";
   $out .= "Host: www.example.com\r\n";
   $out .= "Connection: Close\r\n\r\n";
   fwrite($fp, $out);
   while (!feof($fp)) {
   echo fgets($fp, 128);
   }
   fclose($fp);
}
?> 
[/code]

the 02-Dec-2004 01:50 comment is also useful.
anirudh
what you're doing is server => server
What the akshay wants is server => client
The only not yet posted other options are client => client (which is 
essentially impossible with PHP, unless you use the server=>server 
setup) and client => server (which is called uploading)

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload

2005-01-20 Thread anirudh dutt 
On Thu, 20 Jan 2005 12:26:07 +0100, Marek Kilimajer <[EMAIL PROTECTED]> wrote:
> akshay wrote:
> > Hi all,
> > I hv problem while file upload.
> > I hv one server and multiple client.
> > I want to upload a file from Server to client.
> > how this is possible in PHP
> 
> This is usualy called download. Is this what you want?

yeah. if that's what u're trying, check out the manual page on
fsockopen: http://php.net/function.fsockopen

the first example will give u an idea of what to do.

[code]
\n";
} else {
   $out = "GET / HTTP/1.1\r\n";
   $out .= "Host: www.example.com\r\n";
   $out .= "Connection: Close\r\n\r\n";

   fwrite($fp, $out);
   while (!feof($fp)) {
   echo fgets($fp, 128);
   }
   fclose($fp);
}
?> 
[/code]

the 02-Dec-2004 01:50 comment is also useful.

anirudh

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] file upload

2005-01-20 Thread Marek Kilimajer 
akshay wrote:
Hi all,
I hv problem while file upload.
I hv one server and multiple client.
I want to upload a file from Server to client.
how this is possible in PHP
This is usualy called download. Is this what you want?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

  1   2   3   4   >