Solved

Perl Upload

Posted on 2007-03-26
3
206 Views
Last Modified: 2013-12-25
Hello,

I am trying to use the script below to upload files, in conjunction with php.  I am trying to pass urls into the script via post which will set a different tmp_dir and upload_dir based the the logged in user.

My problems is that in the first part of the script, I try to assign the parameters from post.  The parameters get assigned properly, but then the file does not upload.  The problem is that it cannot get the tmp_filename.  I have noticed that if I do not assign any variables from params prior to that call, that it will indeed work.  Does anyone have any suggestions?

The script is located here: http://pastebin.modevia.com/66
0
Comment
Question by:axman505
3 Comments
 
LVL 18

Accepted Solution

by:
ingwa earned 500 total points
Comment Utility
As you are manually assigning a value for the temp dir, you will need to teach your "upload" script to look in the new tmp dir for the files that it needs to manipulate.  One question I have about this is why change it's temp dir?  Surely you could increase the temp dir size limit, to allow for the uploads of more files, but at the same time, because php and uploads run on sessions, the value of the file they uploaded would be readily recognisable, and totally controlled by your scripts, that you needen't worry about other users having access to an individuals file.  By trying to change the way the whole system works starts infringing on system user policies, etc.  

By infringement, I don't mean copyright in the slightest...but more in the way of policy breaking.  Each folder created on an *inx machine generally have specific user/group permissions.  When you change these on the fly, you need to ensure that the web/php user that will be accessing those folders can indeed do so, as from what you have explained, it doesn't.  Your log files are also a good indication as to what's going wrong when trying to do x, it does y, or nothing at all.

If however, you really do wish to do on the fly assignment of which folder to use, and have all the perms setup correctly then you would want to query the database after storing certain locations within it, grab the value, and then assign it to a session variable.  This then keeps your server "safe" in the sense that that data will expire after a certain amount of time.  Additionally, it would have to exist, and point to a specific record in the database to access that particular folder, and also keeps it away from post.  Both POST and GET can be manipulated by any user at any time, and this is a major security risk.

By using queries and session variables, you are ensuring that the user can't manipulate these values, as they are controlled by the server, assuming of course that everything used is internal, and not "over the network" such as a database connection.  If it's local then happy days.

Always ensure you authenticate, and then also have your scripts ensure that the folder in the variable x actually is a folder.  Also ensure that if you are working with an open_dir restriction in place, that your scripts can indeed access those folders.  This isn't an easy thing to do if your apache.conf file isn't opened up for you, so this is another total kettle of fish, but also very very relevant to what you are trying to achieve.  The assignment of a specific target directory shouldn't be a problem either if the correct perms, open_dir restriction exclusions etc have been applied.

Hope this helps.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
In the distant past (last year) I hacked together a little toy that would allow a couple of Manager types to query, preview, and extract data from a number of MongoDB instances, to their tool of choice: Excel (http://dilbert.com/strips/comic/2007-08…
Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now