It's also a security flaw... php should be chrooted to the webroot! Or it should be chrooted to the users home directory. Especially on windows systems where security is not so strict. My 2 cents, Carl. Roberto wrote: > Hi Joseph, > > I'm perfectly fine with the concepts of absolute/relative path and > webroot, trust me. > For me it was just unclear from the documentation the fact that the > "target path" in the move_uploaded_file function was "absolute" with > respect to the file system and not to the "webroot". > At the beginning I thought the function itself was taking care about > adding the server root on its own to that path. > Thinking carefully, it makes perfectly sense for the function to > behave the way it actually does, since otherwise it would be > impossible to get these files out of the server root in file system > terms. > Just, this should be written in CAPITAL LETTERS in the documentation. > Thanks for the interest, > > Roberto Aloi > http://aloiroberto.wordpress.com > Twitter: @prof3ta > > >> When used in PHP, an absolute path does not go off the web root. In Premise >> 3 below, an absolute path of "/upload" will NOT bring up the directory >> "/home/prof3ta/projects/moodle/htdocs/upload" but rather simply "/upload" >> In Windows terms, an absolute path would be "C:\upload" versus >> "C:\home\prof3ta\projects\moodle\htdocs\upload". The only time an absolute >> path is figured relative to the web root is when it is referenced in a >> browser. At this point, for all intents and purposes, it locates the file >> based on the web root. This is a fundamental difference between absolute >> and relative paths. >> >> Absolute: begins at "/" in Linux operating systems and "C:\" in Windows OS >> Relative: begins wherever the running script is located in the file system. >> >> Joseph >> >> Roberto wrote: >> >>> HI, >>> >>> Premise 1: >>> echo exec("pwd"); -> "/home/prof3ta/projects/moodle/htdocs/feedback_tool" >>> >>> Premise 2: >>> I have an "upload" folder with 777 permissions under: >>> /home/prof3ta/projects/moodle/htdocs/upload >>> >>> Premise 3: >>> The server root is obviously htdocs: >>> /home/prof3ta/projects/moodle/htdocs >>> >>> This said, the following doesn't work: >>> >>> <?php >>> $uploads_dir =/upload"; >>> $tmp_name =_FILES["file"]["tmp_name"]; >>> $name =_FILES["file"]["name"]; >>> move_uploaded_file($tmp_name, "$uploads_dir/$name"); >>> ?> >>> >>> The following does work: >>> >>> <?php >>> $uploads_dir =../upload"; >>> $tmp_name =_FILES["file"]["tmp_name"]; >>> $name =_FILES["file"]["name"]; >>> move_uploaded_file($tmp_name, "$uploads_dir/$name"); >>> ?> >>> >>> I consider it as a documentation bug (in the sample code they use an >>> absolute path). >>> I indeed believe I *should* be able to use both of them if not >>> documented otherwise. >>> I will dig into the C implementation of the move_uploaded_file >>> function and I'll check, though. >>> >>> Cheers, >>> >>> Roberto Aloi >>> http://aloiroberto.wordpress.com >>> Twitter: @prof3ta >>> >>> >>> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
