Upload PHP files without executing possible?

[sonicdoomx]

Hello,

 

I need to have a feature where the user can upload any PHP files, but it won't be executed by PHP, instead it when the user types "uploadedfile.php" etc directly in the URL, the PHP will be shown as a text (exactly like the original) or download popup. I was wondering if anyone knows of a way, or could point me to any article on the web which writes about this certain feature. I have been googling but have not been able to find any articles.

 

I'm using Windows XP, Apache, PHP.

 

Cheers!

[Daniel0]

There has to be some sort of backend handling the upload. I'm not quite sure what you're trying to accomplish.

[sonicdoomx]

Yes, currently what I have is a PHP script that detects a PHP file, and append this script to the beginning of the file,

<?php 
$s_array = explode("/",getenv("SCRIPT_NAME"));
$filename = $s_array[2];
header("Content-Type: text/html");
header("Content-Disposition: attachment; filename=".$filename);

$handle = fopen($filename, "r");
if ($handle) { 
$line = 0; 
while (!feof($handle)) { 
	$line += 1; 
	$buffer = fgets($handle); 
	if($line > 28){ 
		echo $buffer;
	}
} 
fclose($handle);
}
exit();

?>
//End of appended script
<?php

// Here is where the user has his own script

?>

 

As you can see, the code that I add will be hidden, and it will force the browser to download the user's uploaded php script. It will also not execute the user's script. I was thinking if there is a better way without modifying the user files?

 

 

[Daniel0]

Ah I see... I thought you wanted the user to upload without using a PHP backend.

 

You're doing it correctly (at least with the headers). You don't have to modify the users' files though. You can just have e.g. download.php with your above snippet and then use readfile() to include and send the file.

 

See this post for instance: http://www.phpfreaks.com/forums/index.php/topic,95433.0.html

[sonicdoomx]

Thanks for the link, I will explore that, but is it more safe than the code I have? I don't want the users to be guessing their PHP filenames/locations and directly executing them on my server.

[Daniel0]

The safest would be to store them outside the document root and only serve them dynamically through a script like in the link I posted. If you use readfile() then it'll echo the contents of the file and not execute it. In that case you'll be safe. If the uploaded file lies within the document root, however, then you risk that people will find and execute the file.

 

E.g. if http://example.com/index.php is at /var/www/example.com/htdocs/index.php then your uploaded files could go into the folder /var/www/example.com/uploads. In that way they won't be directly accessible. Generally, everything that should not be directly accessible should not be within document root.