Topic awaiting preservation: File modification and uploads with PHP? (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=13053" title="Pages that link to Topic awaiting preservation: File modification and uploads with PHP? (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: File modification and uploads with PHP? <span class="small">(Page 1 of 1)</span>\$

FlagMan Bipolar (III) Inmate From: Calgary Alberta Canada Insane since: Dec 2002	posted 02-11-2004 05:23 1. Should I be able to create files in a folder the owner (me) of the script owns? eg: - I want to create a file called "asdf.txt" - I have ownership of the folder it is being created in (public_html) - I have ownership of the PHP script which is running code: $file = "asdf.txt"; if (!$handle = fopen($file, "w")) { echo "Error: Cannot open the file."; exit; } if (!fwrite($handle,"things")) { echo "Error: Cannot write to the file."; exit; } fclose($handle); I should be able to create the file right? After all... I do own the script and the folder. But I can't, I get a permission denied error when I try to open it for writing. I have been able to write to the file if I chmod it or the folder it is in to 777 (everyone has full access). But, as you can tell, that poses an obvious security threat. I think this could be caused by PHP's built-in "safe mode", but it shouldn't be limiting it. 2. After I upload a file using a modified version of the script located here, the owner of the uploaded file becomes "48" (it should be "flagman"), and the chmod is 600 (only the owner can read from and write to the file). I can still logon to the FTP and modify the file. Anyway... my question is... how can I properly modify/create these files without posing any security threat to my site, and how can I upload the files so that they have the proper chmod and owner? EDIT Also, does anybody have a good tutorial on using PHP with forms... I have tried both GET and POST, but the parameters always still appear in the URL bar? [This message has been edited by FlagMan (edited 02-11-2004).]
DmS Paranoid (IV) Inmate From: Sthlm, Sweden Insane since: Oct 2000	posted 02-11-2004 10:13 I believe this has to do with how PHP is running on your server, meaning if Apache is the default owner or if you are. There is a thread over at the GN that explains most of this, pop over and take a look to see if it helps. http://development.gurusnetwork.com/discussion/thread/2470/ For your other Q, PHP/Forms. If the parameters are visible in the url the for is using GET as the method, then it doesn't matter if you are trying to retrieve it through $_POST in PHP, it's the HTML that controls it. In your HTML-form tag you must specify method="GET" or method="POST", if you leave it blank it defaults to GET, thus showing up in the url. /Dan {cell 260} -{ a vibration is a movement that doesn't know which way to go }-
butcher Paranoid (IV) Inmate From: New Jersey, USA Insane since: Oct 2000	posted 02-11-2004 20:47 Just to expand on what DmS was saying... Some servers are set up to run PHP scripts as the user nobody. If that's the case on your server, your PHP script wouldn't have permission to write to a folder that you own because even though you own the script that's running, it's not running as you. If on the other hand your server is running in a "cgi" mode, a PHP script will run as the owner of the script and should have the same permissions as you would. Hope this helps -Butcher-
FlagMan Bipolar (III) Inmate From: Calgary Alberta Canada Insane since: Dec 2002	posted 02-13-2004 00:56 Yes, I was aware that the POST method should not have posted the parameters in the URL, but it did for some reason... must have forgotten to upload the newest version or something like that. Anyway... I know (basicly) how the permissions work, but what I really need to know is how to do this, not why I can't. Is there anyway I can somehow logon so that the files are created under my name? The only way I can figure to do this is to login to the FTP using PHP's built in FTP commands, and chmoding the base directory to 777 each time I need to modify something in it, but this obviously takes longer than I would like and still poses some insecurities.

Topic awaiting preservation: File modification and uploads with PHP? (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=13053" title="Pages that link to Topic awaiting preservation: File modification and uploads with PHP? (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: File modification and uploads with PHP? <span class="small">(Page 1 of 1)</span>\$

FlagMan
Bipolar (III) Inmate

From: Calgary Alberta Canada
Insane since: Dec 2002

posted 02-11-2004 05:23

1. Should I be able to create files in a folder the owner (me) of the script owns? eg:
- I want to create a file called "asdf.txt"
- I have ownership of the folder it is being created in (public_html)
- I have ownership of the PHP script which is running

code:

$file = "asdf.txt";

  if (!$handle = fopen($file, "w")) {

    echo "Error: Cannot open the file.";

    exit;

  }

  if (!fwrite($handle,"things")) {

    echo "Error: Cannot write to the file.";

    exit;

  }

  fclose($handle);

I should be able to create the file right? After all... I do own the script and the folder. But I can't, I get a permission denied error when I try to open it for writing. I have been able to write to the file if I chmod it or the folder it is in to 777 (everyone has full access). But, as you can tell, that poses an obvious security threat. I think this could be caused by PHP's built-in "safe mode", but it shouldn't be limiting it.

2. After I upload a file using a modified version of the script located here, the owner of the uploaded file becomes "48" (it should be "flagman"), and the chmod is 600 (only the owner can read from and write to the file). I can still logon to the FTP and modify the file.

Anyway... my question is... how can I properly modify/create these files without posing any security threat to my site, and how can I upload the files so that they have the proper chmod and owner?

*EDIT* Also, does anybody have a good tutorial on using PHP with forms... I have tried both GET and POST, but the parameters always still appear in the URL bar?

[This message has been edited by FlagMan (edited 02-11-2004).]

DmS
Paranoid (IV) Inmate

From: Sthlm, Sweden
Insane since: Oct 2000

posted 02-11-2004 10:13

I believe this has to do with how PHP is running on your server, meaning if Apache is the default owner or if you are.
There is a thread over at the GN that explains most of this, pop over and take a look to see if it helps. http://development.gurusnetwork.com/discussion/thread/2470/

For your other Q, PHP/Forms.
If the parameters are visible in the url the for is using GET as the method, then it doesn't matter if you are trying to retrieve it through $_POST in PHP, it's the HTML that controls it.

In your HTML-form tag you must specify method="GET" or method="POST", if you leave it blank it defaults to GET, thus showing up in the url.
/Dan

{cell 260}
-{ a vibration is a movement that doesn't know which way to go }-

butcher
Paranoid (IV) Inmate

From: New Jersey, USA
Insane since: Oct 2000

posted 02-11-2004 20:47

Just to expand on what DmS was saying...

Some servers are set up to run PHP scripts as the user nobody. If that's the case on your server, your PHP script wouldn't have permission to write to a folder that you own because even though you own the script that's running, it's not running as you.

If on the other hand your server is running in a "cgi" mode, a PHP script will run as the owner of the script and should have the same permissions as you would.

Hope this helps

-Butcher-

FlagMan
Bipolar (III) Inmate

From: Calgary Alberta Canada
Insane since: Dec 2002

posted 02-13-2004 00:56

Yes, I was aware that the POST method should not have posted the parameters in the URL, but it did for some reason... must have forgotten to upload the newest version or something like that.

Anyway... I know (basicly) how the permissions work, but what I really need to know is how to do this, not why I can't. Is there anyway I can somehow logon so that the files are created under my name? The only way I can figure to do this is to login to the FTP using PHP's built in FTP commands, and chmoding the base directory to 777 each time I need to modify something in it, but this obviously takes longer than I would like and still poses some insecurities.