OJB Posted September 10, 2007 Posted September 10, 2007 Hey all I am currently developing a PHP/MySQL site whereby clients are able to upload certain file types (.zip and .rar) for a specific use. I have written an upload script but first of all it doesn't seem to be limiting the file types to just zip and rar Basically what the code does is creates a directory for each client (if there isnt one already) based on their user ID which is stored in their session header.... then from a form on a different page it is supposed to upload the file they choose to their directory. It is working correctly in the sense that the files are going to the correct folder but I can upload any file type at the moment. ><?php $dir = "/home/*******/public_html/******/upload/"; $dir .= $_SESSION['userID']; if (($_FILES["thefile"]["type"] == "application/zip") || ($_FILES["thefile"]["type"] == "application/x-rar-compressed") || ($_FILES["thefile"]["type"] == "application/x-zip-compressed" || ($_FILES["thefile"]["type"] == "application/octet-stream") && ($_FILES["thefile"]["size"] < 20000000)) { if ($_FILES["thefile"]["error"] > 0) { echo "Return Code: " . $_FILES["thefile"]["error"] . "<br />"; } else { echo "Upload: " . $_FILES["thefile"]["name"] . "<br />"; echo "Type: " . $_FILES["thefile"]["type"] . "<br />"; echo "Size: " . ($_FILES["thefile"]["size"] / 1024) . " Kb<br />"; echo "Temp file: " . $_FILES["thefile"]["tmp_name"] . "<br />"; if (file_exists($dir. "/" . $_FILES["thefile"]["name"])) { echo $_FILES["thefile"]["name"] . " already exists. "; } else { move_uploaded_file($_FILES["thefile"]["tmp_name"], $dir. "/" . $_FILES["thefile"]["name"]); echo "Stored in: " . $dir. "/" . $_FILES["thefile"]["name"]; } } } else { echo "Invalid file"; } ?> however even when I upload MP3s or other file types it still allows the upload Secondly, Having created the folder and now having uploaded some files I don't actually want I can't seem to delete either the folder or the files within. I keep getting a permission denied error in SmartFTP, and nothing happens when I try to delete them through CPanel (legacy) file manager. Surely this shouldnt be happening. When I create the folders I am CHMODing them to 0777 so I should be able to remove the files and directories. Any help for a confused little man would go down a charm... Quote
TCH-Bruce Posted September 10, 2007 Posted September 10, 2007 You also need to change the files being uploaded to 666 permissions to be able to delete them. I would check hotscripts.com for an upload script that you could check out how they are testing MIME types. I've never seen anyone check for a file type as you are doing. Usually you strip the filename into two pieces and test the extension for zip, jpg, mp3, etc... Quote
OJB Posted September 11, 2007 Author Posted September 11, 2007 Thanks for the info Bruce. I shall contact the help-desk and get them to delete the files for me for now.. The mime-type check I actually got from the w3 school site: http://www.w3schools.com/php/php_file_upload.asp most of my upload script is the same, but obviously modified to suit my particular needs. I shall browse hotscripts for a more suitable upload script Cheers again Quote
TCH-Bruce Posted September 11, 2007 Posted September 11, 2007 I've used this one before and it blocked extensions correctly. Quote
OJB Posted September 11, 2007 Author Posted September 11, 2007 thanks again bruce I have also had the help desk CHMOD my files so I can now remove them Quote
OJB Posted September 18, 2007 Author Posted September 18, 2007 I downloaded that upload script you suggested bruce. It looks good, but instead of just using it as is I wanted to try get my head around the code and make sure I understand what is going on. The problem I have at the moment is that I have managed to change the permissions on my uploaded files successfully to 666 (and whatever else I wanted them to be) but I still can't delete the files. The reason for this is not permissions but rather file ownership. All the files I upload have the ownership set to UID: 99 GID:99 Basically I think this means they are set to "nobody". I already contacted the help desk once and they changed the ownership of the files I had already uploaded and I deleted them. I would rather not contact them again until I have properly sorted this issue and it won't happen again because I don't want to pester them. Anyway, can anyone explain how to set the ownership of a file when you upload it? I have tried to use chown() to change the ownership to a different user id AFTER uploading, but I am not permitted to do so. I can't see where this occurs in that script you have linked me to, Bruce. If I could find this out, I think I could even write my own script, or at least tweak that one to my own tastes. At the bottom of this post I have pasted the PHP part of the upload script you linked me to. I can see the file permissions being set here: > $result = move_uploaded_file($temp_name, $file_path); if (!chmod($file_path,0777)) and the permissions of the folder here: >if (!chmod($upload_dir,0755)) die ("change permission to 755 failed."); But have no idea where the ownership is done. Any help would be awesome. Cheers guys. >$site_name = $_SERVER['HTTP_HOST']; $url_dir = "http://".$_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF']); $url_this = "http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']; $upload_dir = "files/"; $upload_url = $url_dir."/files/"; $message =""; /************************************************************ * Create Upload Directory ************************************************************/ if (!is_dir("files")) { if (!mkdir($upload_dir)) die ("upload_files directory doesn't exist and creation failed"); if (!chmod($upload_dir,0755)) die ("change permission to 755 failed."); } /************************************************************ * Process User's Request ************************************************************/ if ($_REQUEST[del] && $DELETABLE) { $resource = fopen("log.txt","a"); fwrite($resource,date("Ymd h:i:s")."DELETE - $_SERVER[REMOTE_ADDR]"."$_REQUEST[del]\n"); fclose($resource); if (strpos($_REQUEST[del],"/.")>0); //possible hacking else if (strpos($_REQUEST[del],$upload_dir) === false); //possible hacking else if (substr($_REQUEST[del],0,6)==$upload_dir) { unlink($_REQUEST[del]); print "<script>window.location.href='$url_this?message=deleted successfully'</script>"; } } else if ($_FILES['userfile']) { $resource = fopen("log.txt","a"); fwrite($resource,date("Ymd h:i:s")."UPLOAD - $_SERVER[REMOTE_ADDR]" .$_FILES['userfile']['name']." " .$_FILES['userfile']['type']."\n"); fclose($resource); $file_type = $_FILES['userfile']['type']; $file_name = $_FILES['userfile']['name']; $file_ext = strtolower(substr($file_name,strrpos($file_name,"."))); //File Size Check if ( $_FILES['userfile']['size'] > $MAX_SIZE) $message = "The file size is over 2MB."; //File Extension Check else if (!in_array($file_ext, $FILE_EXTS)) $message = "Sorry, $file_name($file_type) is not allowed to be uploaded."; else $message = do_upload($upload_dir, $upload_url); print "<script>window.location.href='$url_this?message=$message'</script>"; } else if (!$_FILES['userfile']); else $message = "Invalid File Specified."; /************************************************************ * List Files ************************************************************/ $handle=opendir($upload_dir); $filelist = ""; while ($file = readdir($handle)) { if(!is_dir($file) && !is_link($file)) { $filelist .= "<a href='$upload_dir$file'>".$file."</a> - URL: <b>$upload_url$file</b>"; if ($DELETABLE) $filelist .= " Added at ".date("d-m H:i", filemtime($upload_dir.$file)) .""; $filelist .= " <a style='text-decoration:none; font-weight:bold' href='?del=$upload_dir".urlencode($file)."' title='delete'>x</a>"; $filelist .="<br>"; } } function do_upload($upload_dir, $upload_url) { $temp_name = $_FILES['userfile']['tmp_name']; $file_name = $_FILES['userfile']['name']; $file_name = str_replace("\\","",$file_name); $file_name = str_replace("'","",$file_name); $file_path = $upload_dir.$file_name; //File Name Check if ( $file_name =="") { $message = "Invalid File Name Specified"; return $message; } $result = move_uploaded_file($temp_name, $file_path); if (!chmod($file_path,0777)) $message = "change permission to 777 failed."; else $message = ($result)?"$file_name was uploaded successfully." : "Something is wrong with uploading the file."; return $message; } Quote
TCH-Bruce Posted September 19, 2007 Posted September 19, 2007 The reason you can't change ownership in the script is because the web server user "nobody" is creating the files. That user does not have rights to change ownership of files. Quote
OJB Posted September 19, 2007 Author Posted September 19, 2007 ^ How would I go about setting a suitable owner upon file upload then? And what should the owner and group ID be set to? This is all rather new to me so has me a bit confused. Sorry! Quote
TCH-Bruce Posted September 19, 2007 Posted September 19, 2007 Sorry, but the only way I know how to do that would be to upload using an FTP client. Quote
OJB Posted October 3, 2007 Author Posted October 3, 2007 I thought I would update this in case someone else has the same problem. Today I finally solved the problem. As mentioned before it was setting the folder ownership to be "nobody" In order to over come this I used umask() >if (!is_dir($dir)) { $oldumask = umask(0); mkdir($dir, 0777); umask($oldumask); } Now the folders and files created within them I can remove via FTP, which is a relief. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.