Mari Masuda wrote:
> Yes, currently the tmp folder (or any folders in my Apache htdocs
> folder) is not accessible to the web due to the Mac's built-in firewall
> set to block all incoming traffic except network time and something
> installed by Adobe when I installed CS4 (e.g., Photoshop, InDesign,
> etc.). However, I was wondering what the normal technique is for
> writing files if the script that does the fopen/fwrite is located on a
> production server that IS on the web. It occurred to me that I could
> create a 777 folder outside of the web root so that it would not be
> accessible on the web even if the script was running on a production
> server, but I wasn't sure if that was a good or bad idea.
>
> On Jul 2, 2009, at 17:59, Waynn Lue wrote:
>
>> The tmp folder isn't accessible from the web though, right? Someone
>> would first have to get access to your server for that.
>>
>> On 7/1/09, Mari Masuda <mbmasuda@xxxxxxxxxxxx> wrote:
>>>
>>> On Jul 1, 2009, at 12:54, Shawn McKenzie wrote:
>>>
>>>> Mari Masuda wrote:
>>>>> On Jul 1, 2009, at 12:20, Shawn McKenzie wrote:
>>>>>
>>>>>> Shawn McKenzie wrote:
>>>>>>> Mari Masuda wrote:
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> This is probably a dumb newbie question. I am running PHP
>>>>>>>> 5.2.5 and
>>>>>>>> Apache 2.2.8 on my Mac Book Pro OS X 10.4.11. I compiled PHP and
>>>>>>>> Apache
>>>>>>>> from source a while ago (as opposed to using the built-in web
>>>>>>>> server
>>>>>>>> that is included w/ Mac OS X). I have written the below PHP whose
>>>>>>>> purpose is to read an existing comma separated (CSV) file and
>>>>>>>> save the
>>>>>>>> data into a text file that I can later copy and paste from into my
>>>>>>>> website content management system. The problem is that on my
>>>>>>>> Mac, I
>>>>>>>> cannot seem to figure out what permissions I need to set in
>>>>>>>> order to
>>>>>>>> make the input CSV and the initially non-existant output text file
>>>>>>>> readable and writable by Apache/PHP. I have Googled and come
>>>>>>>> across
>>>>>>>> many pages about different ways to set permissions and different
>>>>>>>> permissions to set but none of the ways suggested that I tried
>>>>>>>> seemed to
>>>>>>>> work for me. As a temporary solution, I uploaded my PHP file to a
>>>>>>>> Windows 2003 server running Apache and PHP and it worked
>>>>>>>> flawlessly
>>>>>>>> (and
>>>>>>>> makes me suspicious that there is some huge security hole with the
>>>>>>>> Windows box since it was able to execute with no permissions
>>>>>>>> modifications). Any tips would be greatly appreciated. Thanks!
>>>>>>>>
>>>>>>>> Mari
>>>>>>>>
>>>>>>>> --- start my code ---
>>>>>>>> <?php
>>>>>>>>
>>>>>>>> $in = fopen("/Applications/apache/htdocs/wp-php/wp.csv", "r");
>>>>>>>> $out =
>>>>>>>> fopen("/Applications/apache/htdocs/wp-php/tableToCutAndPaste.txt",
>>>>>>>> "w");
>>>>>>>> $counter = 0;
>>>>>>>>
>>>>>>>>
>>>>>>>> fwrite($out, "<table>\n");
>>>>>>>>
>>>>>>>> while(($data = fgetcsv($in)) !== FALSE) {
>>>>>>>> $paperNumber = $data[0];
>>>>>>>> $authors = $data[1];
>>>>>>>> $title = $data[2];
>>>>>>>> $filename = $paperNumber . ".pdf";
>>>>>>>>
>>>>>>>> if(($counter % 2) == 0) {
>>>>>>>> fwrite($out, "<tr>\n");
>>>>>>>> } else {
>>>>>>>> fwrite($out, "<tr style=\"background: #cccccc;\">\n");
>>>>>>>> }
>>>>>>>>
>>>>>>>> fwrite($out, "<td><a
>>>>>>>> href=\"http://www.example.com/workingpapers/getWorkingPaper.php?
>>>>>>>> filename=$filename\">$paperNumber</a></td>\n");
>>>>>>>>
>>>>>>>>
>>>>>>>> fwrite($out, "<td>$authors</td>\n");
>>>>>>>> fwrite($out, "<td>$title</td>\n");
>>>>>>>> fwrite($out, "</tr>\n");
>>>>>>>>
>>>>>>>> $counter++;
>>>>>>>> }
>>>>>>>>
>>>>>>>> fwrite($out, "</table>\n");
>>>>>>>>
>>>>>>>>
>>>>>>>> fclose($in);
>>>>>>>> fclose($out);
>>>>>>>>
>>>>>>>> ?>
>>>>>>>> --- end my code ---
>>>>>>>
>>>>>>> What are the permissions on /Applications/apache/htdocs/wp-php/ ?
>>>>>>>
>>>>>>> Apache needs write permissions on that dir in order to create
>>>>>>> the file
>>>>>>> tableToCutAndPaste.txt.
>>>>>>>
>>>>>>> It's probably not a secure idea to give write permissions to
>>>>>>> that dir,
>>>>>>> so maybe create a subdir of tmp and change those permissions
>>>>>>> (one way):
>>>>>>>
>>>>>>> mkdir /Applications/apache/htdocs/wp-php/tmp
>>>>>>> chmod a+w /Applications/apache/htdocs/wp-php/tmp
>>>>>>>
>>>>>>
>>>>>> Also, turn on error reporting so that you can see the exact
>>>>>> problem. It
>>>>>> may not be what you think.
>>>>>>
>>>>>> --
>>>>>> Thanks!
>>>>>> -Shawn
>>>>>> http://www.spidean.com
>>>>>
>>>>>
>>>>> Thanks for the suggestions. I added the following lines to the
>>>>> very top
>>>>> of my code:
>>>>>
>>>>> error_reporting(E_ALL);
>>>>>
>>>>> mkdir("/Applications/apache/htdocs/wp-php/tmp", 0777, true);
>>>>> chmod("/Applications/apache/htdocs/wp-php/tmp", "a+w");
>>>>>
>>>>> and I also changed the line where it tries to open the file to
>>>>> write to
>>>>> to go to the new directory:
>>>>>
>>>>> $out =
>>>>> fopen("/Applications/apache/htdocs/wp-php/tmp/
>>>>> tableToCutAndPaste.txt",
>>>>> "w");
>>>>>
>>>>> Below are the errors I got:
>>>>> --- start errors ---
>>>>> Warning: mkdir() [function.mkdir]: Permission denied in
>>>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 5
>>>>>
>>>>> Warning: chmod() [function.chmod]: No such file or directory in
>>>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 6
>>>>>
>>>>> Warning:
>>>>> fopen(/Applications/apache/htdocs/wp-php/tmp/tableToCutAndPaste.txt)
>>>>> [function.fopen]: failed to open stream: No such file or directory in
>>>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 9
>>>>>
>>>>> Warning: fwrite(): supplied argument is not a valid stream
>>>>> resource in
>>>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 13
>>>>>
>>>>> Warning: fwrite(): supplied argument is not a valid stream
>>>>> resource in
>>>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 22
>>>>>
>>>>> Warning: fwrite(): supplied argument is not a valid stream
>>>>> resource in
>>>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 27
>>>>>
>>>>> Warning: fwrite(): supplied argument is not a valid stream
>>>>> resource in
>>>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 28
>>>>>
>>>>> Warning: fwrite(): supplied argument is not a valid stream
>>>>> resource in
>>>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 29
>>>>>
>>>>> Warning: fwrite(): supplied argument is not a valid stream
>>>>> resource in
>>>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 30
>>>>>
>>>>> Warning: fwrite(): supplied argument is not a valid stream
>>>>> resource in
>>>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 35
>>>>>
>>>>> Warning: fclose(): supplied argument is not a valid stream
>>>>> resource in
>>>>> /Applications/apache/htdocs/wp-php/generateTable.php on line 39
>>>>> --- end errors ---
>>>>>
>>>>> The permissions are as follows (sorry I didn't think to include
>>>>> them in
>>>>> my original message):
>>>>>
>>>>> [Wed Jul 01 12:28:29] ~: ls -la /Applications/apache/htdocs/wp-php/
>>>>> total 64
>>>>> drwxr-xr-x 5 mari admin 170 Jun 29 16:47 .
>>>>> drwxr-xr-x 24 mari admin 816 Jun 29 16:47 ..
>>>>> -rw-r--r-- 1 mari admin 6148 Jun 28 21:11 .DS_Store
>>>>> -rwxr--r-- 1 mari admin 827 Jul 1 12:26 generateTable.php
>>>>> -rwxr--r-- 1 mari admin 17532 Jun 28 20:53 wp.csv
>>>>> [Wed Jul 01 12:29:01] ~:
>>>>>
>>>>> Thank you,
>>>>> Mari
>>>>
>>>> That's because the apache user doesn't have permissions to create the
>>>> dir or change the permissions. The commands I gave you need to be run
>>>> from the command line.
>>>>
>>>> --
>>>> Thanks!
>>>> -Shawn
>>>> http://www.spidean.com
>>>
>>> Oh, duh, thank you. Doing it on the command line like you said
>>> worked great. I also had to edit my .csv file in TextWrangler to
>>> change the line breaks from \r to \r\n before it would work.
>>> Although the Mac's built-in firewall is set to block incoming traffic
>>> except for network time and something installed by Adobe when I
>>> installed CS4, I was wondering about the security of this technique
>>> if done on a production server. I only run this script by pointing
>>> my browser to http://localhost/wp-php/generateTable.php and I think
>>> with my firewall settings nobody else would be able to execute this
>>> script, but it seems if the tmp folder is set to world writable on a
>>> production server that anybody might be able to somehow upload a
>>> malicious file if they knew the location of tmp. Any thoughts? Thanks!
>>>
>>> Mari
>>>
>>> --
>>> PHP General Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>>
>
Yes, it would be best to keep writable directories and files outside of
the web root.
--
Thanks!
-Shawn
http://www.spidean.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
