Well, seeing as I have no directory anywhere in my file structure called "/tmp" and yet my file uploads are still working, it would appear that my temporary file upload directory "/tmp" given by php_info() is somewhere outside of my root directory. So that's good news! That's were I'll be doing my file checks anyway before moving any files into my root directory. Anyway, at this point it looks like I need to buckle down and do some thinkin'. Thank you everyone for your advice, I really really appreciate it!! You guys have given me a really good foundation to start from on these questions of site security, and I appreciate you taking the time to pass on your expertise to a newcomer. All the best, Andy On 9/27/06, Richard Lynch <ceo@xxxxxxxxx> wrote:
On Wed, September 27, 2006 12:12 pm, Andy Hultgren wrote: > So I've been trying to figure out where php uploads files to > temporarily > store them before I move them to their permanent storage directory, > and I'm > having some difficulties: > > -- php_info() says the temporary file upload directory is "/tmp" but I > don't > know if that's relative to my root directory or what and can't figure > out > from the documentation how that path is displayed. /tmp means the /tmp on the root of the hard drive, which your webhost allegedly isn't letting you share... HOWEVER: It is entirely possible (nay, even likely) that they have you in a ch-rooted environment where your "/tmp" is not somebody else's "/tmp" so you'll just see "/tmp" and you don't have to worry about the fact that it's not really really /tmp but somewhere else... > -- I have tried to call pathinfo() and realpath() on my > $_FILES['name']['tmp_name'] file before it is moved, but neither gives > the > full path to the file If $_FILES['name']['tmp_name'] does already have the full path, something is very wrong on your system... Note that as soon as your upload-receiving script ends, the file is deleted. You *have* to use move_uploaded_file() on it in the upload-receiving script to save the file somewhere else, or it's just gonna go away, and you ain't gonna see it never again. > Maybe I should have one of those disclaimers posted on my homepage > like the > ones that you see in taxis sometimes: "This driver never carries more > than > $20 cash." --> "This website never carries anyone's financial > information." :) :-) While there are obviously people "out there" who will just attack randomly, (spammers) I honestly believe that a valuable/useful/warm-fuzzies site (in the eyes of the attackers) is a much less likely target for an actual human attack. I have absolutely zero evidence to support that claim, other than one site that's been wide open to abuse for most of a decade, and only the mindless spam-bots bother it... :-) -- Like Music? http://l-i-e.com/artists.htm
