Solved

Perl Upload

Posted on 2007-03-26
3
246 Views
Last Modified: 2013-12-25
Hello,

I am trying to use the script below to upload files, in conjunction with php.  I am trying to pass urls into the script via post which will set a different tmp_dir and upload_dir based the the logged in user.

My problems is that in the first part of the script, I try to assign the parameters from post.  The parameters get assigned properly, but then the file does not upload.  The problem is that it cannot get the tmp_filename.  I have noticed that if I do not assign any variables from params prior to that call, that it will indeed work.  Does anyone have any suggestions?

The script is located here: http://pastebin.modevia.com/66
0
Comment
Question by:axman505
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 18

Accepted Solution

by:
Mark Gilbert earned 500 total points
ID: 18804971
As you are manually assigning a value for the temp dir, you will need to teach your "upload" script to look in the new tmp dir for the files that it needs to manipulate.  One question I have about this is why change it's temp dir?  Surely you could increase the temp dir size limit, to allow for the uploads of more files, but at the same time, because php and uploads run on sessions, the value of the file they uploaded would be readily recognisable, and totally controlled by your scripts, that you needen't worry about other users having access to an individuals file.  By trying to change the way the whole system works starts infringing on system user policies, etc.  

By infringement, I don't mean copyright in the slightest...but more in the way of policy breaking.  Each folder created on an *inx machine generally have specific user/group permissions.  When you change these on the fly, you need to ensure that the web/php user that will be accessing those folders can indeed do so, as from what you have explained, it doesn't.  Your log files are also a good indication as to what's going wrong when trying to do x, it does y, or nothing at all.

If however, you really do wish to do on the fly assignment of which folder to use, and have all the perms setup correctly then you would want to query the database after storing certain locations within it, grab the value, and then assign it to a session variable.  This then keeps your server "safe" in the sense that that data will expire after a certain amount of time.  Additionally, it would have to exist, and point to a specific record in the database to access that particular folder, and also keeps it away from post.  Both POST and GET can be manipulated by any user at any time, and this is a major security risk.

By using queries and session variables, you are ensuring that the user can't manipulate these values, as they are controlled by the server, assuming of course that everything used is internal, and not "over the network" such as a database connection.  If it's local then happy days.

Always ensure you authenticate, and then also have your scripts ensure that the folder in the variable x actually is a folder.  Also ensure that if you are working with an open_dir restriction in place, that your scripts can indeed access those folders.  This isn't an easy thing to do if your apache.conf file isn't opened up for you, so this is another total kettle of fish, but also very very relevant to what you are trying to achieve.  The assignment of a specific target directory shouldn't be a problem either if the correct perms, open_dir restriction exclusions etc have been applied.

Hope this helps.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This article discusses how to create an extensible mechanism for linked drop downs.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question