Perl Upload

Hello,

I am trying to use the script below to upload files, in conjunction with php.  I am trying to pass urls into the script via post which will set a different tmp_dir and upload_dir based the the logged in user.

My problems is that in the first part of the script, I try to assign the parameters from post.  The parameters get assigned properly, but then the file does not upload.  The problem is that it cannot get the tmp_filename.  I have noticed that if I do not assign any variables from params prior to that call, that it will indeed work.  Does anyone have any suggestions?

The script is located here: http://pastebin.modevia.com/66
LVL 1
axman505Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mark GilbertSenior Performance EngineerCommented:
As you are manually assigning a value for the temp dir, you will need to teach your "upload" script to look in the new tmp dir for the files that it needs to manipulate.  One question I have about this is why change it's temp dir?  Surely you could increase the temp dir size limit, to allow for the uploads of more files, but at the same time, because php and uploads run on sessions, the value of the file they uploaded would be readily recognisable, and totally controlled by your scripts, that you needen't worry about other users having access to an individuals file.  By trying to change the way the whole system works starts infringing on system user policies, etc.  

By infringement, I don't mean copyright in the slightest...but more in the way of policy breaking.  Each folder created on an *inx machine generally have specific user/group permissions.  When you change these on the fly, you need to ensure that the web/php user that will be accessing those folders can indeed do so, as from what you have explained, it doesn't.  Your log files are also a good indication as to what's going wrong when trying to do x, it does y, or nothing at all.

If however, you really do wish to do on the fly assignment of which folder to use, and have all the perms setup correctly then you would want to query the database after storing certain locations within it, grab the value, and then assign it to a session variable.  This then keeps your server "safe" in the sense that that data will expire after a certain amount of time.  Additionally, it would have to exist, and point to a specific record in the database to access that particular folder, and also keeps it away from post.  Both POST and GET can be manipulated by any user at any time, and this is a major security risk.

By using queries and session variables, you are ensuring that the user can't manipulate these values, as they are controlled by the server, assuming of course that everything used is internal, and not "over the network" such as a database connection.  If it's local then happy days.

Always ensure you authenticate, and then also have your scripts ensure that the folder in the variable x actually is a folder.  Also ensure that if you are working with an open_dir restriction in place, that your scripts can indeed access those folders.  This isn't an easy thing to do if your apache.conf file isn't opened up for you, so this is another total kettle of fish, but also very very relevant to what you are trying to achieve.  The assignment of a specific target directory shouldn't be a problem either if the correct perms, open_dir restriction exclusions etc have been applied.

Hope this helps.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Scripting Languages

From novice to tech pro — start learning today.