Solved

Perl Upload

Posted on 2007-03-26
3
233 Views
Last Modified: 2013-12-25
Hello,

I am trying to use the script below to upload files, in conjunction with php.  I am trying to pass urls into the script via post which will set a different tmp_dir and upload_dir based the the logged in user.

My problems is that in the first part of the script, I try to assign the parameters from post.  The parameters get assigned properly, but then the file does not upload.  The problem is that it cannot get the tmp_filename.  I have noticed that if I do not assign any variables from params prior to that call, that it will indeed work.  Does anyone have any suggestions?

The script is located here: http://pastebin.modevia.com/66
0
Comment
Question by:axman505
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 18

Accepted Solution

by:
Mark Gilbert earned 500 total points
ID: 18804971
As you are manually assigning a value for the temp dir, you will need to teach your "upload" script to look in the new tmp dir for the files that it needs to manipulate.  One question I have about this is why change it's temp dir?  Surely you could increase the temp dir size limit, to allow for the uploads of more files, but at the same time, because php and uploads run on sessions, the value of the file they uploaded would be readily recognisable, and totally controlled by your scripts, that you needen't worry about other users having access to an individuals file.  By trying to change the way the whole system works starts infringing on system user policies, etc.  

By infringement, I don't mean copyright in the slightest...but more in the way of policy breaking.  Each folder created on an *inx machine generally have specific user/group permissions.  When you change these on the fly, you need to ensure that the web/php user that will be accessing those folders can indeed do so, as from what you have explained, it doesn't.  Your log files are also a good indication as to what's going wrong when trying to do x, it does y, or nothing at all.

If however, you really do wish to do on the fly assignment of which folder to use, and have all the perms setup correctly then you would want to query the database after storing certain locations within it, grab the value, and then assign it to a session variable.  This then keeps your server "safe" in the sense that that data will expire after a certain amount of time.  Additionally, it would have to exist, and point to a specific record in the database to access that particular folder, and also keeps it away from post.  Both POST and GET can be manipulated by any user at any time, and this is a major security risk.

By using queries and session variables, you are ensuring that the user can't manipulate these values, as they are controlled by the server, assuming of course that everything used is internal, and not "over the network" such as a database connection.  If it's local then happy days.

Always ensure you authenticate, and then also have your scripts ensure that the folder in the variable x actually is a folder.  Also ensure that if you are working with an open_dir restriction in place, that your scripts can indeed access those folders.  This isn't an easy thing to do if your apache.conf file isn't opened up for you, so this is another total kettle of fish, but also very very relevant to what you are trying to achieve.  The assignment of a specific target directory shouldn't be a problem either if the correct perms, open_dir restriction exclusions etc have been applied.

Hope this helps.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In the distant past (last year) I hacked together a little toy that would allow a couple of Manager types to query, preview, and extract data from a number of MongoDB instances, to their tool of choice: Excel (http://dilbert.com/strips/comic/2007-08…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Learn the basics of modules and packages in Python. Every Python file is a module, ending in the suffix: .py: Modules are a collection of functions and variables.: Packages are a collection of modules.: Module functions and variables are accessed us…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question