Jump to content

Recommended Posts

Since people will be able to upload almost any file type, what types of things should I look out for or be aware of?
[quote author=thorpe link=topic=119073.msg487184#msg487184 date=1166434314]
Nope. None of the php files on my webserver are executable.
[/quote]
Is this because you only made the files read/write? or because you placed them outside your root? I cannot place them outside the root, because all the files will need to be accessed by the users, each registered user gets a file with there all there uploaded files stored in it.

I am guessing that good files to not allow are exe files, since someone could upload a virus or something and run it, but maybe if the read/write thing works, then maybe it won't get run, and I can allow uploads of them.

I am getting a new host, and I'm going to upload the files to the server for user access, I am thinking of going with http://dreamhost.com They give me a lot of storage, and upgrade the amount of storage every week, along with bandwidth. Anyways, what should I be aware of when letting people upload files? For now I need to make it so PHP files don't work so someone can't get any secure information such as database info, or something.
Link to comment
https://forums.phpfreaks.com/topic/31071-non-executable-php/#findComment-143786
Share on other sites

[quote]Is this because you only made the files read/write? or because you placed them outside your root?[/quote]

My web application files are all within the web root, and are typically 644. However, my web root directory is actually 755. I have since discovered that if you made a directory 666 (as NovaHaCker suggests) no php within it will be executed. I should think that no kind of executable could be run from within it.

Be aware that exe files meen nothing to Linux. Linux doesn't care what a file extension is as it doesn't really use them. My question still, why can't you store these files outside of the web root? If your users need to edit them or whatever you can still provide an interface for that.

[quote]each registered user gets a file with there all there uploaded files stored in it[/quote]

This makes NO sense. For starters, files don't store other files. If you mean each user will get a seperate php file which lists all there uploaded files then really, your going about this the wrong way. Your users DO NOT need a seperate file for this. Thats a maintainence nightmare.
Link to comment
https://forums.phpfreaks.com/topic/31071-non-executable-php/#findComment-143928
Share on other sites

Well... I cannot store them in all the same folder, because some users will have the same file names, like most web sites, for the home page they use: index(.php,.html,.htm, etc.). So how would you suggest that I store the files? What I currently have set up is a folder called users, in that folder I have a folder for each user, and that stores all there files, if there are any reccognizable files(jpg,gif,png) a thumbnail is created, and the thumbnail is stored in a thumbs folder within that users main folder.

+root
+--users
      +--user1
              +--thumbs
              |        +--file1.jpg
              |        +--file2.jpg
              |        +--file3.jpg
              |        +--file4.jpg
              +file1.jpg
              +file2.jpg
              +file3.jpg
              +file4.jpg
Link to comment
https://forums.phpfreaks.com/topic/31071-non-executable-php/#findComment-143971
Share on other sites

Have a separate folder for each user, it could be just named the same as their unique user_id or something.  Call the page something like listfiles.php and have it in the users directory (one directory above the individual user directories) then when the user logs in (which I'm assuming they do, unless you're allowing anyone to randomly upload files to your server) use the userid in a session variable, or something similar to list the directory contents...

Something like this:

[size=8pt][b]listfiles.php[/b][/size]
[code]<?php
// Path to the files
$path = '/root/users/' . $_SESSION['user_id'];

// Open the directory
$dh = opendir($path);
while (($file = readdir($dh)) !== false){
  if ($file != '.' && $file != '..'){
      echo "$file<br>\n";
  }
}
?>[/code]

This should list different files depending on which user is logged in.

Huggie
Link to comment
https://forums.phpfreaks.com/topic/31071-non-executable-php/#findComment-143975
Share on other sites

[quote author=HuggieBear link=topic=119073.msg487698#msg487698 date=1166479552]
Have a separate folder for each user, it could be just named the same as their unique user_id or something.  Call the page something like listfiles.php and have it in the users directory (one directory above the individual user directories) then when the user logs in (which I'm assuming they do, unless you're allowing anyone to randomly upload files to your server) use the userid in a session variable, or something similar to list the directory contents...

This should list different files depending on which user is logged in.

Huggie
[/quote]
That is exactly what I am doing now... The only difference is where I put the so called listfiles.php, I called it users.php, and it is in the root directory.

[quote author=thorpe link=topic=119073.msg487696#msg487696 date=1166479105]
Well, if you made your users directory of the perms 666 nothing could be executed within it.
[/quote]
So If I made the directory 666, could I still allow users to share there images/videos/music, and post them in blogs, emails, ebay, etc., and still work?
Link to comment
https://forums.phpfreaks.com/topic/31071-non-executable-php/#findComment-144679
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.