Re: [PHP] File Upload Security and chmod
- From: ceo@xxxxxxxxx ("Richard Lynch")
- Date: Tue, 26 Sep 2006 18:09:34 -0500 (CDT)
The FTP will be slower, almost for sure.
He's doing it because he can FTP in as himself, and not as the
"nobody" user Apache runs as.
Your webhost has you running as yourself already, so you can chmod
your files at will in PHP.
On Mon, September 25, 2006 2:11 pm, Andy Hultgren wrote:
Tedd,
Thanks so much your thorough response - it's good to know that I'm not
the
only one trying to figure this out! I'm curious, in your code you use
the
PHP ftp functions, but I have used the PHP functions chmod() and
mkdir()
without establishing an ftp connection. Is it faster to establish an
ftp
connection within PHP and then use the ftp series of functions to
accomplish
all of the directory creation and permissions changes? If so, then I
will
probably change my code to follow yours.
Andy
On 9/25/06, tedd <tedd@xxxxxxxxxxxx> wrote:
At 9:32 PM -0600 9/24/06, Andy Hultgren wrote:
Hi Tedd,and so
Yes, when I browse to www.myDomain.com I get the index.html file,
I
have been leaving the .public_html/ directory alone since it is notmy
root. I'm curious, what you described is exactly what I'm tryingto do -
what permissions do you set the parent folder at when you arefinished
uploading/saving/downloading/etc.? I have my "uploaded_images/"image
directory set at chmod 0100 and I can still browse to an uploaded
from
my file upload page... Thanks for your response,
Andy:
I ran into the same problem trying to work with, and understand,
permissions on a virtual host. When I asked this gang about
permissions some time back, I received answers that ranged from RTFM
to calling me stupid for using 0777, but none answered my question.
No fault of the gang, I probably didn't ask the question correctly.
In any event, I felt too stupid to ask the question again, so I went
elsewhere looking for answers and eventually found something that
works for me.
Some consider me a novice, so I'll ask the gang to overview my
comments to make sure that I'm not guiding you down the wrong path.
As you know, the key to setting the permissions of a file depends
upon the permissions the parent folder. If the parent folder
permission is set to 0777, then we can change any files inside the
folder as we want. However, that also presents a major security hole
because then anyone can use that folder to upload and run evil code.
So, the key problem is how to alter parent folder permissions.
With virtual hosting, we can upload, manage, and set permissions as
we want via our FTP connection software. So, I thought perhaps php
had something like that and as such I discovered how to ftp connect
via php.
Now, not all php ftp_<commands> are available to php 4, but you can
connect to your site and change permissions of folders, which is
what
we actually need. So, if you want to do something with a file: then
change the folder permissions of the folder that holds it; do
whatever you want with the file; and then change the folder
permissions back to something safe.
You can also create new folders if you want using the command
ftp_mkdir().
Note, the beginning of the ftp_paths are different than url paths we
would normally use to locate a file. For example:
An example web path:
http://www.yourdomain.com/rw/tmp/text.txt
An example symbolic link:
public_html/rw/tmp/text.txt
The following code will show you an example of how this works. Just
put in your own domain, user id, password, and correct paths and try
it out. Change the permissions in the code and watch how the file
permissions change.
Please let me know if this works for you -- watch for line breaks.
hth's
tedd
PS: I don't know what to say about your ".public_html/" directory,
but I would just leave it alone.
---
// how to call the function
<?php
$ftp_path = "public_html/rw/"; // note the ftp path
$theDir = "tmp";
$theFile ="text.txt";
FtpPerms($ftp_path, $theDir, $theFile);
?>
// the function
<?php
// create directory and change permissions via FTP connection
function FtpPerms($path, $theDir, $theFile)
{
$server='ftp.yourdomain.com'; // ftp server
$connection = ftp_connect($server); // connection
$user = "you";
$pass = "yourpassword";
$result = ftp_login($connection, $user, $pass); // login to ftp
server
if ((!$connection) || (!$result))
{
echo("No connection<br/>");
return false;
exit();
}
else
{
echo("Made connection<br/>");
ftp_chdir($connection, $path); // go to destination dir
echo("Change permission<br/>");
$str="CHMOD 0755 " . $theDir; // change permissions for dir (note
the
space after 0775 )
ftp_site($connection, $str);
echo("$str<br/>");
$filename = "$theDir/$theFile";
$contents = "This is the contents of the file.";
echo("<hr><br/>Writing file <br/><br/>");
$file = fopen( $filename, "w" );
fwrite( $file, $contents);
fclose( $file );
chmod($filename,0755);
echo("Change permission<br/>");
$str="CHMOD 0600 " . $theDir; // change permissions back for dir
ftp_site($connection, $str);
echo("$str<br/>");
echo("Close connection<br/>");
ftp_close($connection); // close connection
}
}
?>
--
-------
http://sperling.com http://ancientstones.com
http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
Like Music?
http://l-i-e.com/artists.htm
.
- References:
- File Upload Security and chmod
- From: "Andy Hultgren"
- Re: [PHP] File Upload Security and chmod
- From: "Richard Lynch"
- Re: [PHP] File Upload Security and chmod
- From: "Andy Hultgren"
- Re: [PHP] File Upload Security and chmod
- From: "Richard Lynch"
- Re: [PHP] File Upload Security and chmod
- From: "Andy Hultgren"
- Re: [PHP] File Upload Security and chmod
- From: "Andy Hultgren"
- Re: [PHP] File Upload Security and chmod
- From: "Andy Hultgren"
- File Upload Security and chmod
- Prev by Date: Re: [PHP] Object to array conversion oddity
- Next by Date: Re: [PHP] libcurl (cookies across cURL session). . .?
- Previous by thread: Re: [PHP] File Upload Security and chmod
- Next by thread: Re: [PHP] File Upload Security and chmod
- Index(es):
Relevant Pages
|
