php upload scripts

Atari talk, or the life and the universe and things. Just keep it clean!
Post Reply
User avatar
exxos
Site Admin
Site Admin
Posts: 4089
Joined: Wed Aug 16, 2017 11:19 pm
Location: UK
Contact:

php upload scripts

Post by exxos » Thu Sep 13, 2018 10:56 pm

I need to allow "public" users to upload files to a folder... This script does work...

http://www.johnboyproductions.com/php-u ... gress-bar/

But I have to set the "files" folder to 777 for it to work, but doesn't that mean public could write to the folder or files without even using the script ? I know I fell victim to some security thing where hackers were adding code onto the end of my index pages...

So want to know how to set this up right, so only the script itself can upload files...

Anyone know about this kinda of stuff ?
4MB STFM 1.44 FD- VELOCE+ 020 STE - 4MB STE 32MHz - STFM 16MHz - STM - MEGA ST - Falcon 030 CT60 - Atari 2600 - Atari 7800 - Gigafile - SD Floppy Emulator - PeST - HxC - CosmosEx - Ultrasatan - various clutter

https://www.exxoshost.co.uk/atari/ All my hardware guides - mods - games - STOS
https://www.exxoshost.co.uk/atari/last/storenew/ - All my hardware mods for sale - Please help support by making a purchase.

User avatar
rpineau
Site Admin
Site Admin
Posts: 360
Joined: Thu Aug 17, 2017 6:08 pm
Location: USA
Contact:

Re: php upload scripts

Post by rpineau » Fri Sep 14, 2018 2:22 am

777 (aka -rwxrwxrwx) is BAD. It means anybody can do anything if they can access the system.
If php run as a certain user, that is the user that will be used to create the new files. So setting the target directory as 777 shouldn'y be needed, you should just need to give the proper access to the php user (or apache if it's ran as apache, or www-data ... or whatever the user running the web server is).
So if you have shell access to the webserver, do a ps -aux and see what user is running the httpd process (hopefully not root).
Then once that is known, change the directory you want to use to be own by that user.
Working ones : MegaSTE (68020) / TT030 / Falcon with AB040 & Eclipse / 1040STF
Need testing : Falcon with CT2

User avatar
exxos
Site Admin
Site Admin
Posts: 4089
Joined: Wed Aug 16, 2017 11:19 pm
Location: UK
Contact:

Re: php upload scripts

Post by exxos » Fri Sep 14, 2018 8:47 am

I know I had something setup long time ago, but cant remember how I did it.. :(
4MB STFM 1.44 FD- VELOCE+ 020 STE - 4MB STE 32MHz - STFM 16MHz - STM - MEGA ST - Falcon 030 CT60 - Atari 2600 - Atari 7800 - Gigafile - SD Floppy Emulator - PeST - HxC - CosmosEx - Ultrasatan - various clutter

https://www.exxoshost.co.uk/atari/ All my hardware guides - mods - games - STOS
https://www.exxoshost.co.uk/atari/last/storenew/ - All my hardware mods for sale - Please help support by making a purchase.

User avatar
exxos
Site Admin
Site Admin
Posts: 4089
Joined: Wed Aug 16, 2017 11:19 pm
Location: UK
Contact:

Re: php upload scripts

Post by exxos » Fri Sep 14, 2018 1:26 pm

ahhh

chown -R www-data:www-data /var/www/html/etc etc etc

I've got permission 744 ?

1.JPG
1.JPG (36.54 KiB) Viewed 204 times
4MB STFM 1.44 FD- VELOCE+ 020 STE - 4MB STE 32MHz - STFM 16MHz - STM - MEGA ST - Falcon 030 CT60 - Atari 2600 - Atari 7800 - Gigafile - SD Floppy Emulator - PeST - HxC - CosmosEx - Ultrasatan - various clutter

https://www.exxoshost.co.uk/atari/ All my hardware guides - mods - games - STOS
https://www.exxoshost.co.uk/atari/last/storenew/ - All my hardware mods for sale - Please help support by making a purchase.

User avatar
Smonson
Posts: 152
Joined: Sat Oct 28, 2017 10:21 am

Re: php upload scripts

Post by Smonson » Fri Sep 14, 2018 1:53 pm

744 should be fine, although it's more common for read and execute to be set together, for directories. Without +x, nobody can see the file listing within a directory.

Since it seems that www-data will be the only one accessing the files, the "group" and "public" permissions won't be used anyway.

User avatar
IngoQ
Site Admin
Site Admin
Posts: 656
Joined: Tue Aug 22, 2017 8:38 am
Location: Germany

Re: php upload scripts

Post by IngoQ » Fri Sep 14, 2018 3:06 pm

Keep in mind to never give users unmoderated access to uploads. You could end up having child porn uploaded to your server and not noticing it until a cybercrime unit finds it...

It is always advisable to have a separate inbox folder with write access only, and you having manually move it to a public download folder after you checked it. Everything else is extremely dangerous.
Ingo :geek:

“Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.” - Antoine de Saint-Exupéry

User avatar
exxos
Site Admin
Site Admin
Posts: 4089
Joined: Wed Aug 16, 2017 11:19 pm
Location: UK
Contact:

Re: php upload scripts

Post by exxos » Fri Sep 14, 2018 3:16 pm

Yeah, problem is we don't have time to monitor the uploads...

At the moment Michael Keenleyside has access to my FTP to dump files for me to sort out for my site.. but, hes not keeping up either.. people are uploading files to FB which mostly doesn't work.. now people are uploading stuff all over the place and its become a mess :roll:

So I am coding a script so people can upload files onto my server (via a web page) and it will generate download links right away for people to share their stuff on FB..

This is a public thing, so of course its open to abuse, but nothing I can really do about that other than add a "report" button or something. I could password it, but the password in a public group would likely end up on google anyway.. Or only give the password to people who ask for it, at least then its better than full public access.

I did check with my host right from day one about this type of thing, if anything does get reported, they will contact me to remove the content, So they say anyway, the wouldn't just take down the whole server without trying to resolve it first.
4MB STFM 1.44 FD- VELOCE+ 020 STE - 4MB STE 32MHz - STFM 16MHz - STM - MEGA ST - Falcon 030 CT60 - Atari 2600 - Atari 7800 - Gigafile - SD Floppy Emulator - PeST - HxC - CosmosEx - Ultrasatan - various clutter

https://www.exxoshost.co.uk/atari/ All my hardware guides - mods - games - STOS
https://www.exxoshost.co.uk/atari/last/storenew/ - All my hardware mods for sale - Please help support by making a purchase.

derkom
Posts: 25
Joined: Sun Jul 29, 2018 6:45 pm

Re: php upload scripts

Post by derkom » Fri Sep 14, 2018 3:43 pm

Smonson wrote:
Fri Sep 14, 2018 1:53 pm
744 should be fine, although it's more common for read and execute to be set together, for directories. Without +x, nobody can see the file listing within a directory.
+x (numeric 1) allows people to enter the directory, but not see a listing. +r (4) is what lets people see the listing. And then of course +w (2) allows creation of new files in the directory. (Of course you are technically correct that people would not be able to see a listing without +x, since they couldn't enter the directory to see it.)

User avatar
exxos
Site Admin
Site Admin
Posts: 4089
Joined: Wed Aug 16, 2017 11:19 pm
Location: UK
Contact:

Re: php upload scripts

Post by exxos » Fri Sep 14, 2018 5:01 pm

The script works, but some screwyness with some APC thingy...

call to undefined function apc_fetch()

Been looking for over a hour and seems its now APCu for PHP5.6... thats enabled in apache, but it still errors.. If I change it to apcu-fetch, it still errors... Usual case of spending ages looking for solutions and getting nowhere :roll:

EDIT:

Oh it seems php5 does it totally different, so I gotta start my script over again, typical :roll:
4MB STFM 1.44 FD- VELOCE+ 020 STE - 4MB STE 32MHz - STFM 16MHz - STM - MEGA ST - Falcon 030 CT60 - Atari 2600 - Atari 7800 - Gigafile - SD Floppy Emulator - PeST - HxC - CosmosEx - Ultrasatan - various clutter

https://www.exxoshost.co.uk/atari/ All my hardware guides - mods - games - STOS
https://www.exxoshost.co.uk/atari/last/storenew/ - All my hardware mods for sale - Please help support by making a purchase.

Post Reply