[SOLVED] Relative Path - not going past the public domain accessible folders

[daniel244rock]

Hello!

 

I am having a problem which I've never had before and can't find anything on it here on PHPFreaks, though I haven't read every thread so there might be somewhere, and I'm sorry if I'm duplicating anything.

 

Here is a directory structure that we will use as an example:

rootFolder - 755

• fishing.png
  
• publicFolder
  

publicFolder - 755

• hiking.png
  
• error.php
  

 

Lets say error.php contains the following code:

<img src="hiking.png">
<br>
<img src="../fishing.png">

 

When error.php is viewed in a web browser via the http domain (not locally, it works locally) only the hiking.png picture is displayed, resulting in the default browser empty image for fishing.png. If the properties are viewed for the empty image the path is "http://www.domain.com/fishing.png" (don't know if that has anything to do with the problem).

 

I don't see why I can't use '../' to go back to the files I have stored in web inaccesible directories.

 

If we move everything to publicly accessible locations and try the same page, it works as expected.

 

Is there a php.ini setting that is messed up? maybe the include_path or something? I've played with that trying to get it working but maybe just messed it up more.

 

Thanks in advance! If you need more info, I'll be here to answer questions promptly.

 

Daniel

 

EDIT: oh yeah, the domain points to publicFolder

[WolfRage]

this function will be your best buddy very soon, it is possibly the smartest solution that I have found to correcting issues with reaching files that are in seperate folders and are parrell. Yours are not parrell but still should do the trick. You ready?

realpath()      http://us.php.net/realpath

[c_shelswell]

that area is generally protected so folks can't mess up your server. I found a bit of code ages ago to get files above the www folder. That way i can store mp3's up there that they can't get but provide folks with them if i want to. I can't really explain it to you as i'm not fully sure of it myself but perhaps you can adapt it?

 

<?php
$filename = $url;
$downloaddir = '../../temp_dl_dir/';
$safedir = '/home/'.SERVER_NAME.'/products/'.SAFE_DIR.'/';
$downloadURL = DLC_URL.'/temp_dl_dir/';

$letters = 'abcdefghijklmnopqrstuvwxyz';
srand((double) microtime() * 1000000);
$string = '';
for ($i = 1; $i <= rand(4,12); $i++)
{
   $q = rand(1,24);
   $string = $string . $letters[$q];
}
$handle = opendir($downloaddir);
while ($dir = readdir($handle))
{
   if (is_dir($downloaddir . $dir))
   {
	  if ($dir != "." && $dir != "..")
	  {
		 @unlink($downloaddir . $dir . "/" . $filename);
		 @rmdir($downloaddir . $dir);
	  }
   }
}
closedir($handle);
mkdir($downloaddir . $string, 0777);
symlink($safedir . $filename, $downloaddir . $string . "/" . $filename);
Header("Location: " . $downloadURL . $string . "/" . $filename);
?>

[Mark Baker]

I don't see why I can't use '../' to go back to the files I have stored in web inaccesible directories.

The point is that "web inaccesible" actually means "web inaccesible"... hatefule I know that inaccessible actually means insaccessible, but it's a fact of life that sometimes words actually mean what they mean.

 

But fear not, all is not lost.

 

Instead of using:

<img src="../fishing.png">

you could use:

<img src="displayImage.php?id=../fishing.png">

and write a little PHP script in your web root directory (publicFolder) that loads the image based on the $_GET['id'] value and sends it to the browser. However, because you're now allowing access to files outside of the web accessible directories, you'd need to be very, very careful that some nasty person didn't type

http://www.yourdomain.com/displayImage.php?id=/etc/passwd

into the address bar of their browser.

[daniel244rock]

Wow! Thanks for the quick replies!

 

While i'm reading up and trying those suggestions, I have another question.  Isn't there a way to place some php file (i.e. db_connect.php) 'above' the domain accessible folder and still use 'include()' in a php file to use the file even though it is not accessible directly through the browser?

 

can I make a folder called includes that is not accessible to the world, but accessible to server side scripts, or does it have to be completely available to all browsers?

 

Thanks for the help so quickly!

 

Daniel

[Mark Baker]

While i'm reading up and trying those suggestions, I have another question.  Isn't there a way to place some php file (i.e. db_connect.php) 'above' the domain accessible folder and still use 'include()' in a php file to use the file even though it is not accessible directly through the browser?

There is, and it's commonly used too, particularly for files that might hold sensitive information such as database passwords.

Only files that are called directly through the browser need to exist in web accessible directories.

An included file isn't being called from the browser, but from the script that uses the include statement; therefore it can exist outside of the web accessible directories

[daniel244rock]

Interesting, and happily it makes perfect sense!

 

So scripts on the server can access eachother anywhere they are, but a browser cannot have access to anything that is above the domain structure.

 

Wolfrage: that is a sweet function! I have the site open now reading through the examples. Thanks!

c_shelswell:  Thanks, man.  I'll be saving that script for later for sure.

Mark: Thanks for explaining the obvious   Now that I've seen it written out it makes perfect sense.

 

Thanks all for your time.

 

Daniel

[daniel244rock]

Wolfrage!  That function is completely sweet!  I was wondering how to get the absolute path easily.  I imagine I'll be using that one daily.  Thanks... again.

[WolfRage]

Not a Problem! I know it saved me a lot of trouble after I had come up with this great concept, but it was broke. realpath() made it work!