sonesay
Nov 24 2008, 10:57 AM
I've just tried to test my upload script on the trap17 hosting server and unsure whats the proper way to keep the upload directory secure. How I have it setup locally: my 'uploads' folder is chown to 'nobody' and set 775. The reason I set it to 'nobody' is when it was set to 777 the files uploaded where by 'nobody' so I'm assuming thats what xampp is doing. This seems to work but if there is a proper way do tell. How I have it on trap17: 'uploads' folder is set back to 774 (when it was on 777 uploads work but I'm sure it not safe this way?). so now I get permissions error. I'm guessing if I get php file to create the folder it would have its permission but there must be a better way to do this? Another thing: I dont have any checks so any file can be uploaded. I looked on the php.net page where I got the code and people have suggested ways on securing it but most just seem like weak validation. Does anyone one know how to properly handle files being uploaded and restrict it only to real images?
Comment/Reply (w/o sign-up)
truefusion
Nov 24 2008, 02:24 PM
Having the PHP file create the folder may be equal to chmodding the folder to 0777—but don't quote me on this. The only way i can think of to keep things as secure as i would assume you would want would be to have a program on the server side that is owned by the same user or group that the folder you are trying to upload to has, which the PHP script(s) communicate(s) with by sending it all the data it needs (e.g. the temporary name of the uploaded file and what mimetype it should be and where to move it to if all is green). This, i would say (or at least in theory), should allow a directory with 0774 permissions to "accept" uploads from users while keeping things satisfyingly secure. However, this may require more access to the server in order to make this executable work the way you want. The only implication i can think of is when it comes time to allow the user to delete what they've uploaded (assuming this is in a multi-user environment), as you wouldn't want users deleting things that aren't theirs. But that shouldn't be (much of) a problem if you have the script check a database of who uploaded the file.
Comment/Reply (w/o sign-up)
sonesay
Nov 24 2008, 08:08 PM
I have a permissions problem when I try and run my mkdir.php file on the trap17 server. I have set my folders of 'si' and file 'mkdir.php' to 777 and I still get permission denied error. Is there something else I can do? CODE <?php
mkdir("testfolder", 0700);
?> Luckily for me I'm only building this for my own personal use so validating is just something I was hoping to sort out if I ever want to build something where other users can upload files. The mimetype is one way to help but it has been noted on the php.net site as being client side validation by the browser so it can be tricked. I think the other method I came across was reading the file size and also reading the first few bytes to determine if it was indeed an image file but so far I still haven't been able to locate that information again.
Comment/Reply (w/o sign-up)
truefusion
Nov 24 2008, 09:24 PM
QUOTE(sonesay @ Nov 24 2008, 04:08 PM)  I have a permissions problem when I try and run my mkdir.php file on the trap17 server.
I have set my folders of 'si' and file 'mkdir.php' to 777 and I still get permission denied error. Is there something else I can do? You don't need to set mkdir.php to 0777 for it to create folders. Setting the folder that mkdir.php is in to 0777 should have allowed the script to create the folder in the current working directory. I'm not sure what would be the problem.
Comment/Reply (w/o sign-up)
sonesay
Nov 24 2008, 09:53 PM
QUOTE(truefusion @ Nov 25 2008, 10:24 AM) You don't need to set mkdir.php to 0777 for it to create folders. Setting the folder that mkdir.php is in to 0777 should have allowed the script to create the folder in the current working directory. I'm not sure what would be the problem. Yeah I was thinking that as well but somehow it just didn't work. I have got it to work now but yeah the whole process was a head ache. as it is now: si folder is 775 mkdir.php is 775 but it wont execute anymore since I removed executable from it. (it doesn't matter since I already have the folder created) testfolder is 750 (my image upload folder) was created by mkdir.php (I cant delete this now with cpanel because its not owned by me. rmdir() wont work either because it has files in there (my uploaded images)). It works but I have to tidy it up. I'm not sure why but under file manager in cpanel my view of testfolder is always empty but I can browse and view its contents at http://sonesayi.com/si/testfolder/. I'm thinking now the only way to remove it is to write a php script. I saw one just earlier when I was looking up information on removing directories where it checked for files inside the directory and removed them all before removing the parent folder. /sigh
Comment/Reply (w/o sign-up)
truefusion
Nov 24 2008, 11:33 PM
QUOTE(sonesay @ Nov 24 2008, 05:53 PM) I'm thinking now the only way to remove it is to write a php script. I saw one just earlier when I was looking up information on removing directories where it checked for files inside the directory and removed them all before removing the parent folder. My gallery script has a function that recursively scans a folder and pulls up all the files; i'll pull it up. However, you'll have to work out a way to differentiate between directories and files so you don't get the same message, then you just delete the directories after deleting the files: CODE function deepscan($dir)
{
if (!preg_match("/\/$/", $dir)){
$dir .= "/";
}
$files = array();
if ($handle = opendir($dir))
{
while (false !== ($file = readdir($handle)))
{
if ($file != "." && $file != "..")
{
if (is_dir($dir.$file)){
$files[] = $dir.$file;
$files = array_merge($files, deepscan($dir.$file));
} else {
array_push($files, $dir.$file);
}
}
}
closedir($handle);
}
sort($files);
return $files;
}
Comment/Reply (w/o sign-up)
(G)shabeer
Sep 4 2009, 01:16 AM
using my uploaded images
Securing Upload Directory
please tell me if I am on the right track. I am busy with my website that allows members to upload a car image. I mange to upload these very well using php which stores it in my host directory called images. Its there and I only see numbers wen I open them, is there another script to retrieve this to my c: files,
AFTER they are uploaded..This is what I wanna do..Save thes to a database. On my website page there is a block for each car. I then need to upload this to a block. And then have a search button for eg; ford etc.. Is this possible or am I doing it all wrong. The site is up and running with no actual cars cos they all on my host and I dnt know how to get it out of there, sorry I am not a developer or a programmer. I have done this with trial and error. I dnt know if I am allowed to mention the site address ..So someone can check it out and give me some tips ... -question by shabeer
Comment/Reply (w/o sign-up)
Similar Topics
Keywords : securing, upload, directory, proper,
- Image Upload
?!? (11)
How To Display Images Of A Directory
(5) I am trying to do a simple thing. I want to display all the images of a directory on a single page
with the checkbox next to each image, so that i can select multi images and i can delete selected
images. Following few lines of code display the images of a directory.. i need help to put the
check boxes with each image. and I dont understand how can i select multi images with check box and
then delete them. I hope someone can help. thanks. CODE $path = "./"; $dir_handle =
@opendir($path) or die("Unable to open folder"); while (false !== ($file = readdir($dir_han....
Php Ftp Upload Form
Adding User Directory to PHP Upload Form - Help (2) Alright I am trying to have a PHP FTP Upload Form that allows the user to create the directory
folder for where they want to upload there files to. example: Main Directory: vainsoft.com There
directory: vainsoft.com/modeling or vainsoft.com/photography But I dont want them to be able to
upload things into the main directory, only sub-directories, is that possible with this coding that
I have: CODE //uses $_FILES global array //see manual for older PHP version info //This
function will be used to get the extension from the filename function get_extension($file,$....
File Upload
File upload (1) I need to add a facility on my customer's website so his clients can send him jobs, typically
5mb - 50mb. I've looked around the web and researched this, and tried a few tests (failed), but
my brain's beginning to hurt. Could someone please tell me the best way to go about this,
please. The site is done in Flash, but I'm sure a link to an html page would be ok if necessary.....
Batch Upload Script
In need of batch upload script (1) I'm in the process of making a photo gallery script. I need ideas on how to make a batch upload
script. I want the user to be able to upload files to a folder via FTP and then go to the admin
section of the gallery and add the previously uploaded photos to the MySQL database. I guess what I
need it to do is find all the files in a specific folder and see if they are already in the
database, if they aren't in the database - add them. Any help would be appreciated. I figured
trap17 would be a good place to get help with this /wink.gif" style="vertical-align:middle....
Unofficial Trap17 Hosted Members Directory
(13) This is the Trap17 edition of the Hosted Members Directory. A script initially written by me for the
Astahost forums. The script has gone through many a changes and is currently in version 4 which
includes the following features:- > Listing of hosted members. > Listing of the websites of the
hosted members. > Validation of the websites (whether the site is suspended, working or not not
working, etc) > Save/Load result to/from database. > Multithreaded for faster operation. > Status
messages, images and progress bar to keep you informed of the process. Link to the Scrip....
Reading Files From Directory To Array, And Using $_get To Get Them
Simple way to manage lot's of files (2) Some user posted a similar problem i had when i tried to figure out how to update content on my
website in less work as possible. This is just part of the "big" plan i have for my site but it can
be helpfull to you guys if you like FlatFile. I hope that mod's don't mind me posting the
same code here and on their forums, couse if they do i'll delete it from their forums
/biggrin.gif" style="vertical-align:middle" emoid=":D" border="0" alt="biggrin.gif" /> So
here's the situation. Let's say you have a folder called 'myfilesdirectory' on your
s....
Help Needed With Directory/file Listing Code Infinite Loop
Made an infinite loop but why is this so? (5) Hi all ive got a small and simple (for the moment atleast /unsure.gif"
style="vertical-align:middle" emoid=":unsure:" border="0" alt="unsure.gif" /> )file and directory
listing script in php as follows CODE $dir = "."; $num = 0; $file = scandir($dir); while($file
= scandir($dir)){ echo $file ; echo " "; $num = $num + 1; }; the concept is
simple enough, the directory to start with is the current one, so scan this directory and while we
have a result do a loop to echo the file/directories found, incriment the array number by one so we
get the....
Display Random File In A Directory
how to display a random file from a set directory. (9) hi, could someone please help me with this? I have some files in a directory and i want to know how
i can randomly display link/s to one or more of the files in my directory for download. But it must
not at any time display index.php which is also in the directory with the downloads. Thanks in
advance for any help given /unsure.gif" style="vertical-align:middle" emoid=":unsure:" border="0"
alt="unsure.gif" />....
Changin My Phpnuke Directory...please Help
(13) ok i wus fantastico to install my nuke...it asked me to give it a name for its directory so ive put
down "nuke" so to get to my site ud have to go to www.boaw.trap17.com/"nuke" but now i want to
change nuke into something else more related to the site...i was wondering if any1 can tell me the
best way to do that...thanks....
Securing A Php Script Proccessing Input
I need help and advice (7) Hi everyone I like to experiment with php, been doing so for about a year but im not clued up on
security yet, i can use str_replace() to take out parts of strings i dont want like html and JS code
inserted by users, and i know how to use stripslashes to take out slashes from input strings but
this doesnt seem to be lock-tight security to me. There has to be something more to protect my
scripts against malicious users. I belive its possible to use the "or_die()" function for
connecting to an sql table to prevent the error messages being shown to users, as error message....
Displaying Files Of A Directory
(2) I want to display the contents of a directory.. i have the following code.. It gives the output in
one column only... like file1 file2 file3 file4 . . . . . Since there are lot of files so this
column gets very long..i want to display the x number of files in each column.. like if there are 22
files.. then file 1 file 11 file 21 file 2 . file 22 file 3 .. . . . file 10
file 20 This was just an example..I know it can be done by using but i dont know how to do it
with loop. Please help me. QUOTE $dir = './'; $handle = opendir($....
Wappyftp V1.00
upload to server via ftp from your mobile phone :-) (8) wappyFTP v1.00 by wappy --- site: http://cult.trap17.com mail: admin@cult.trap17.com --- -Welcome
to wappyFTP, with this wap script your users can upload files directly to their server via FTP from
a mobile phone! --- -Its extremley easy to install, open index.php and put the name of your site
instead of YOURSITE.COM -Upload the folder wappyFTP_v1.00 to the root directory of your web server
-Link to it like wappyFTP_v1.00/index.php -Its all done ENJOY --- YOU MAY DISTRIBUTE AND/OR EDIT
THIS SCRIPT BUT DO NOT REMOVE THE AUTHORS NAME! --- ©2006-2007 wappyCULT /tongue.g....
How To List Files In A Directory + Subdirectory And Then Use Them.
(8) So lets say i have folders called friends and work in a folder called pics. how would i make a
function that lists the files in those folderscalled images kinda like this: CODE
$directory = "./" function listfiles($directory) { //here should go the script to list the files in
those directories. so that i can continue to work with them. like for example if there were images
it would list all the images and i could write a script to make a thumb of them and then save it
into a thumb folder(not asking for all of that). but how would i make it list it. // basic....
Question: Securing A Website For Beginners
(1) I don't really understand 'bout it. What kind of security we have to make to hold our web
secure. Only log in features? how bout 'deface' method? how does it work? thx in advance
Please use detailed topic title. ....
Directory Files Displaying
(5) I have many files in a directory..I want to create a page , like A B C D E F ..... when some one
click on A , it should display all the files starting from letter A , and when clicks on B , it
should show all the files in that directory starting from B , and so on... I have no idea how to
display the files of the directory iin that way. Kindly assist me......
How To Sort Files Of A Directory using Php
(13) The following code displays the files of folder...but they are displaced by the order of adding... i
want to sord the files / folders alphabetically and sord by accending order and by decending
order.. can some one help me. $path = ""; $dir_handle = @opendir($path) or die("Unable to open
$path"); echo "Directory Listing of $path "; while($file = readdir($dir_handle)) {
if(is_dir($file)) { continue; } else if($file != '.' && $file !=
'..') { echo " $file "; } } //closing the directory
closedir($dir....
Help With Removing Files And Folders
removing all files from a directory (4) Is there a function or a group of functions which I can use to delete all the files an folders in a
directory? I've tried rmdir() but it complains that it can't remove it because there are
files/folders in it. ....
Image Upload And File Size
(2) Hi, I'm trying to upload rather large jpgs files (2560x1920 and ~ 2 megs in size) to my server
via PHP. The problem I am having is that when I upload and attempt to resize by creating a new
image, the new image is always black. Code I'm using is: PHP Code: CODE if(
!empty($thefile_name) ) {
$query = "INSERT INTO coldwell_images (imagename) VALUES
('insertimage')"; $result = mysql_query($query) or die("Query failed");
....
Securing Pages
(2) just wondering if there is a easy safe way to secure some webpages. i have a payment facility on my
site which is linked through paypal. when the member has paid they are taken back to my site "thanks
your payment has been successful page", once its went to this page the item is no longer listed on
my site. now i have found away people can mess with this using the url. this means people can
change just a few digits in the url and and mess the listings up on my site. after payment has been
made the member is redirected to:- mydomain.com/class/thanks_paypal.php?myprod_....
Directory Function
- I need some help (1) Hey, I'm really in a jam. Here's whats happening, I have to post over 350 streaming WMA
files on a server. But it would be nice to not have to script it out in HTML. And I know that in PHP
you can set a directory or folder and PHP will place all the files out there. Would somone show me a
way to do that? and please note where I must insert filenames, folder, ect.... So, I have tons of
files that I need to have on the page, but scrpiting it takes long. Heres the page I'm working
on: http://www.cbf-wa.org/sermons.php thanx so much....
Securing Images
(2) Just wondering if anyone's worked with securing images to avoid direct linking than just by
obscuring the URL or using a .htaccess file. I briefly looked through the documentation and source
for gallery and it looks like the images are stored under the web root, so anyone with a direct link
can browse the images regardless of user privileges. I was thinking one way of doing this would be
too store the images above the webroot directory so that visitor's can't navigate to them
and having a php script that can read the image dir output the images by sending th....
Upload Pics With Php?
(6) Can anyone help me out again? Thanks. I need a code that has a basic form that allows you to
browse for an image file and when the submit button is clicked, that image gets uploaded to a folder
in my site (e.g. images/*.jpg)....
Getting List Of Directories And Files Using Php
PHP Function for Directory and File List (6) is there a php function that lists the content of some folder.... example: /New folder new.txt
left.gif download.zip dc.exe ....so is there..? /rolleyes.gif' border='0'
style='vertical-align:middle' alt='rolleyes.gif' /> ....
Alphanumeric Upload Sorting
(0) This is what the script does: when a file is uploaded from a form, this script checks what directory
it should go into. So before the upload occurs, the alphanumeric directories are created ( only
once, of course). Here it is in code (Please note that this just example code): CODE
UPLOAD.PHP echo " "; echo "Upload a file: "; echo " "; ?> UPLOAD-SORT.PHP $alphaNum =
('a', 'b', 'c', 'd', 'e', 'f', 'g',
'h', 'i', 'j', 'k', 'l', 'm', 'n',
'o'....
upload files
(4) upload.php CODE ".$add." "; listthem($add); } }
$add=$t; } closedir($handle); } } function getdir($add) { ?> upload
limitations! less than 200KB。 WHERE TO UPLOAD . "; ?> File $i
"; } echo " "; } else { ?> USER PASS NUMBER ....
Looking for securing, upload, directory, proper,
|
Searching Video's for securing, upload, directory, proper,
See Also,
|
advertisement
|
|
