non executable PHP

[The Little Guy]

If I allow for people to upload PHP files to my server, how can I make them non executable, and just editable/savable?

[NovaHaCker]

I believe you can just set the destination folder as read/write with no execute permissions at all.

Might need someone else to clear that one, but i think its right.

[trq]

Nope. None of the php files on my webserver are executable.

You would need to put them outsode of your web root, unless there is a directive you can place within a .htaccess file to trun off php and I don't think there is.

[The Little Guy]

Since people will be able to upload almost any file type, what types of things should I look out for or be aware of?
[quote author=thorpe link=topic=119073.msg487184#msg487184 date=1166434314]
Nope. None of the php files on my webserver are executable.
[/quote]
Is this because you only made the files read/write? or because you placed them outside your root? I cannot place them outside the root, because all the files will need to be accessed by the users, each registered user gets a file with there all there uploaded files stored in it.

I am guessing that good files to not allow are exe files, since someone could upload a virus or something and run it, but maybe if the read/write thing works, then maybe it won't get run, and I can allow uploads of them.

I am getting a new host, and I'm going to upload the files to the server for user access, I am thinking of going with http://dreamhost.com They give me a lot of storage, and upgrade the amount of storage every week, along with bandwidth. Anyways, what should I be aware of when letting people upload files? For now I need to make it so PHP files don't work so someone can't get any secure information such as database info, or something.

[trq]

[quote]Is this because you only made the files read/write? or because you placed them outside your root?[/quote]

My web application files are all within the web root, and are typically 644. However, my web root directory is actually 755. I have since discovered that if you made a directory 666 (as NovaHaCker suggests) no php within it will be executed. I should think that no kind of executable could be run from within it.

Be aware that exe files meen nothing to Linux. Linux doesn't care what a file extension is as it doesn't really use them. My question still, why can't you store these files outside of the web root? If your users need to edit them or whatever you can still provide an interface for that.

[quote]each registered user gets a file with there all there uploaded files stored in it[/quote]

This makes NO sense. For starters, files don't store other files. If you mean each user will get a seperate php file which lists all there uploaded files then really, your going about this the wrong way. Your users DO NOT need a seperate file for this. Thats a maintainence nightmare.

[The Little Guy]

Well... I cannot store them in all the same folder, because some users will have the same file names, like most web sites, for the home page they use: index(.php,.html,.htm, etc.). So how would you suggest that I store the files? What I currently have set up is a folder called users, in that folder I have a folder for each user, and that stores all there files, if there are any reccognizable files(jpg,gif,png) a thumbnail is created, and the thumbnail is stored in a thumbs folder within that users main folder.

+root
+--users
      +--user1
              +--thumbs
              |        +--file1.jpg
              |        +--file2.jpg
              |        +--file3.jpg
              |        +--file4.jpg
              +file1.jpg
              +file2.jpg
              +file3.jpg
              +file4.jpg

[trq]

Well, if you made your users directory of the perms 666 nothing could be executed within it.

[HuggieBear]

Have a separate folder for each user, it could be just named the same as their unique user_id or something.  Call the page something like listfiles.php and have it in the users directory (one directory above the individual user directories) then when the user logs in (which I'm assuming they do, unless you're allowing anyone to randomly upload files to your server) use the userid in a session variable, or something similar to list the directory contents...

Something like this:

[size=8pt][b]listfiles.php[/b][/size]
[code]<?php
// Path to the files
$path = '/root/users/' . $_SESSION['user_id'];

// Open the directory
$dh = opendir($path);
while (($file = readdir($dh)) !== false){
  if ($file != '.' && $file != '..'){
      echo "$file<br>\n";
  }
}
?>[/code]

This should list different files depending on which user is logged in.

Huggie

[The Little Guy]

[quote author=HuggieBear link=topic=119073.msg487698#msg487698 date=1166479552]
Have a separate folder for each user, it could be just named the same as their unique user_id or something.  Call the page something like listfiles.php and have it in the users directory (one directory above the individual user directories) then when the user logs in (which I'm assuming they do, unless you're allowing anyone to randomly upload files to your server) use the userid in a session variable, or something similar to list the directory contents...

This should list different files depending on which user is logged in.

Huggie
[/quote]
That is exactly what I am doing now... The only difference is where I put the so called listfiles.php, I called it users.php, and it is in the root directory.

[quote author=thorpe link=topic=119073.msg487696#msg487696 date=1166479105]
Well, if you made your users directory of the perms 666 nothing could be executed within it.
[/quote]
So If I made the directory 666, could I still allow users to share there images/videos/music, and post them in blogs, emails, ebay, etc., and still work?

[trq]

[quote]So If I made the directory 666, could I still allow users to share there images/videos/music, and post them in blogs, emails, ebay, etc., and still work?[/quote]

Yes.