Page 1 of 1

php upload scripts

Posted: Thu Sep 13, 2018 10:56 pm
by exxos
I need to allow "public" users to upload files to a folder... This script does work...

http://www.johnboyproductions.com/php-u ... gress-bar/

But I have to set the "files" folder to 777 for it to work, but doesn't that mean public could write to the folder or files without even using the script ? I know I fell victim to some security thing where hackers were adding code onto the end of my index pages...

So want to know how to set this up right, so only the script itself can upload files...

Anyone know about this kinda of stuff ?

Re: php upload scripts

Posted: Fri Sep 14, 2018 2:22 am
by rpineau
777 (aka -rwxrwxrwx) is BAD. It means anybody can do anything if they can access the system.
If php run as a certain user, that is the user that will be used to create the new files. So setting the target directory as 777 shouldn'y be needed, you should just need to give the proper access to the php user (or apache if it's ran as apache, or www-data ... or whatever the user running the web server is).
So if you have shell access to the webserver, do a ps -aux and see what user is running the httpd process (hopefully not root).
Then once that is known, change the directory you want to use to be own by that user.

Re: php upload scripts

Posted: Fri Sep 14, 2018 8:47 am
by exxos
I know I had something setup long time ago, but cant remember how I did it.. :(

Re: php upload scripts

Posted: Fri Sep 14, 2018 1:26 pm
by exxos
ahhh

chown -R www-data:www-data /var/www/html/etc etc etc

I've got permission 744 ?

1.JPG
1.JPG (36.54 KiB) Viewed 346 times

Re: php upload scripts

Posted: Fri Sep 14, 2018 1:53 pm
by Smonson
744 should be fine, although it's more common for read and execute to be set together, for directories. Without +x, nobody can see the file listing within a directory.

Since it seems that www-data will be the only one accessing the files, the "group" and "public" permissions won't be used anyway.

Re: php upload scripts

Posted: Fri Sep 14, 2018 3:06 pm
by IngoQ
Keep in mind to never give users unmoderated access to uploads. You could end up having child porn uploaded to your server and not noticing it until a cybercrime unit finds it...

It is always advisable to have a separate inbox folder with write access only, and you having manually move it to a public download folder after you checked it. Everything else is extremely dangerous.

Re: php upload scripts

Posted: Fri Sep 14, 2018 3:16 pm
by exxos
Yeah, problem is we don't have time to monitor the uploads...

At the moment Michael Keenleyside has access to my FTP to dump files for me to sort out for my site.. but, hes not keeping up either.. people are uploading files to FB which mostly doesn't work.. now people are uploading stuff all over the place and its become a mess :roll:

So I am coding a script so people can upload files onto my server (via a web page) and it will generate download links right away for people to share their stuff on FB..

This is a public thing, so of course its open to abuse, but nothing I can really do about that other than add a "report" button or something. I could password it, but the password in a public group would likely end up on google anyway.. Or only give the password to people who ask for it, at least then its better than full public access.

I did check with my host right from day one about this type of thing, if anything does get reported, they will contact me to remove the content, So they say anyway, the wouldn't just take down the whole server without trying to resolve it first.

Re: php upload scripts

Posted: Fri Sep 14, 2018 3:43 pm
by derkom
Smonson wrote:
Fri Sep 14, 2018 1:53 pm
744 should be fine, although it's more common for read and execute to be set together, for directories. Without +x, nobody can see the file listing within a directory.
+x (numeric 1) allows people to enter the directory, but not see a listing. +r (4) is what lets people see the listing. And then of course +w (2) allows creation of new files in the directory. (Of course you are technically correct that people would not be able to see a listing without +x, since they couldn't enter the directory to see it.)

Re: php upload scripts

Posted: Fri Sep 14, 2018 5:01 pm
by exxos
The script works, but some screwyness with some APC thingy...

call to undefined function apc_fetch()

Been looking for over a hour and seems its now APCu for PHP5.6... thats enabled in apache, but it still errors.. If I change it to apcu-fetch, it still errors... Usual case of spending ages looking for solutions and getting nowhere :roll:

EDIT:

Oh it seems php5 does it totally different, so I gotta start my script over again, typical :roll: