On Saturday 23 September 2006 01:27, you wrote:
> Hi Borge,
>
> host/users/myDomain is the actual directory (and it's the root
> directory), and I do not have access to higher directories. So
> basically I do not have access to directories higher than my root
> directory, which is unfortunate. Also, the way the server is setup
> that I am on, I do not have access to the server's tmp file (it is not
> shared), I have my own tmp file in my root directory that I use. I
> don't know of any other system-wide read/write directory available
> either. I'd be putting a lot of data there too (customer uploaded
> images) so I really should save them somewhere in my directory and not
> in the common server space.
>
> You can start to see my bind... :( Any thoughts greatly appreciated!
>
> Andy
Sounds like cheap b-one hosting of sorts...
thoughts? yes dont use it... Yer site will probably quickly become a playing
ground for other than yerself. A file have to stay inside a quarantined area
for a sanity check before let loose on the system.
Probably the cache of the browser ... for the I can see the page stuff. dunno.
But as I said: Change yer hosting, to something useable and safe.
>
> On 9/22/06, Børge Holen <borge@xxxxxxxxxxx> wrote:
> > On Friday 22 September 2006 22:58, Andy Hultgren wrote:
> > > Hi,
> > > I am relatively new to php and am trying to set up a file upload
> > > process for my website. I have read through the php security
> > > documentation and a number of the security-related questions on these
> > > lists and am attempting to implement as many of the measures as
> > > possible.
> > > One of the suggestions I have read is to have the uploaded files saved
> > > somewhere outside of your root directory. Unfortunately I cannot do
> > > that as my root directory is simply www.myDomain.com and not
> > > ".public_html/" and I am on a shared server where my root cannot be
> > > changed (I have already asked). So, I am trying to keep the
> > > permissions on my "saved_files" folder as tight as possible except
> > > when the actual upload occurs. I this as follows:
> > >
> > > 1) The actual file upload comes through Flash8, and when the user
> > > uploads a file it is sent to
> > > www.domain.com/flash8directory/upload.php, which is in the same
> > > directory as the Flash8 upload application.
> > > 2) upload.php first chmod 0740 the "saved_files" folder (which is
> > > located at www.domain.com/flash8directory/saved_files/). Then it does
> > > security checks to make sure an appropriate image has been uploaded,
> > > and if everything looks good it moves the uploaded file to
> > > "saved_files".
> > > 3) The Flash8 upload application is notified of the completion of the
> > > upload and downloads the new image it its viewer.
> > > 4) Once the download is complete and Flash8 no longer needs to work
> > > with the file, the Flash8 application notifies a separate php script
> > > by sending the variable "complete=1" to lockdown.php (located at
> > > www.domain.com/flash8directory/lockdown.php), which runs the following
> > > simple script:
> > >
> > > <?php
> > >
> > > $success = 0;
> > > $complete = $_POST['complete'];
> > >
> > > if ($complete==1) {
> > > if(chmod("./saved_files", 0100)) {
> > > success = yes;
> > > echo "success=yes";
> > > }
> > > }
> > > ?>
> > >
> > > This script works and "saved_files" is set to chmod 0100, but here is
> > > the problem. If I then navigate directly to the url of the uploaded
> > > file by entering its path in my
> > > browser(www.domain.com/flash8directory/saved_files/uploadedFile.jpg),
> > > the uploaded file appears in my browser! However, if I then refresh
> > > the browser I get the desired error message saying I do not have
> > > permission to access that file. Also, other browser windows never
> > > have access to view the uploaded file, only the browser from which the
> > > file was uploaded.
> > >
> > > Any thoughts on why I can view the uploaded file even though it has
> > > been set to chmod 0100? I'd really rather not have those files
> > > accessible to anyone, as an extra security layer.
> > >
> > > Thank you for your help!
> > >
> > > Andy
> >
> > I don't quite understand why you cannot save to another catalog.
> > is www.myDomain.com yer actual directory name of merely the domain?
> > If either, login to yer domain and simply go either one step up, is that
> > possible?
> > You can also make use of a .htaccess file inside a sub directory to keep
> > others from it till you have checked the file, then move it out in the
> > open or delete after specifications.
> >
> > Do you have access to /tmp ? That one is possible to use, in fact any
> > system wide directory writable by any/you is usable.
> >
> > --
> > ---
> > Børge
> > Kennel Arivene
> > http://www.arivene.net
> > ---
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
--
---
Børge
Kennel Arivene
http://www.arivene.net
---
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
