Solved

Perl Upload

Posted on 2007-03-26
3
219 Views
Last Modified: 2013-12-25
Hello,

I am trying to use the script below to upload files, in conjunction with php.  I am trying to pass urls into the script via post which will set a different tmp_dir and upload_dir based the the logged in user.

My problems is that in the first part of the script, I try to assign the parameters from post.  The parameters get assigned properly, but then the file does not upload.  The problem is that it cannot get the tmp_filename.  I have noticed that if I do not assign any variables from params prior to that call, that it will indeed work.  Does anyone have any suggestions?

The script is located here: http://pastebin.modevia.com/66
0
Comment
Question by:axman505
3 Comments
 
LVL 18

Accepted Solution

by:
Mark Gilbert earned 500 total points
ID: 18804971
As you are manually assigning a value for the temp dir, you will need to teach your "upload" script to look in the new tmp dir for the files that it needs to manipulate.  One question I have about this is why change it's temp dir?  Surely you could increase the temp dir size limit, to allow for the uploads of more files, but at the same time, because php and uploads run on sessions, the value of the file they uploaded would be readily recognisable, and totally controlled by your scripts, that you needen't worry about other users having access to an individuals file.  By trying to change the way the whole system works starts infringing on system user policies, etc.  

By infringement, I don't mean copyright in the slightest...but more in the way of policy breaking.  Each folder created on an *inx machine generally have specific user/group permissions.  When you change these on the fly, you need to ensure that the web/php user that will be accessing those folders can indeed do so, as from what you have explained, it doesn't.  Your log files are also a good indication as to what's going wrong when trying to do x, it does y, or nothing at all.

If however, you really do wish to do on the fly assignment of which folder to use, and have all the perms setup correctly then you would want to query the database after storing certain locations within it, grab the value, and then assign it to a session variable.  This then keeps your server "safe" in the sense that that data will expire after a certain amount of time.  Additionally, it would have to exist, and point to a specific record in the database to access that particular folder, and also keeps it away from post.  Both POST and GET can be manipulated by any user at any time, and this is a major security risk.

By using queries and session variables, you are ensuring that the user can't manipulate these values, as they are controlled by the server, assuming of course that everything used is internal, and not "over the network" such as a database connection.  If it's local then happy days.

Always ensure you authenticate, and then also have your scripts ensure that the folder in the variable x actually is a folder.  Also ensure that if you are working with an open_dir restriction in place, that your scripts can indeed access those folders.  This isn't an easy thing to do if your apache.conf file isn't opened up for you, so this is another total kettle of fish, but also very very relevant to what you are trying to achieve.  The assignment of a specific target directory shouldn't be a problem either if the correct perms, open_dir restriction exclusions etc have been applied.

Hope this helps.
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
php convert date format 3 21
Redirecting an Outlook attachment to a specific folder? 3 48
php extract($_REQUEST) 5 53
Transform normalized CSV to line in powershell 7 37
This article is meant to give a basic understanding of how to use R Sweave as a way to merge LaTeX and R code seamlessly into one presentable document.
This article will show, step by step, how to integrate R code into a R Sweave document
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question