• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 252
  • Last Modified:

PHP -- how do I give PHP access to different parts of filesystem? Or what parts can it access?

We had someone make a simple dashboard for us, to show reports to clients.  It is written in PHP, with a MySQL database. And he just moved it from his test server to our own web server (Apache).  

Is PHP restricted as far as what folders it can access (READ) in the file system?  Where do files need to be to be read, and/or how to I allow it to see files in a certain location that I desire?

note: this is a dedicated server that we own, so I have full root access.
0
Xetroximyn
Asked:
Xetroximyn
  • 6
  • 4
  • 3
  • +1
3 Solutions
 
farzanjCommented:
PHP is not restricted.

As root issue this command
which php

This should tell you its location.

Anyone should be able to access this location as long as it is in the user's path.
0
 
XetroximynAuthor Commented:
I think my question was very unclear --- i am not trying to access the location of PHP.  The webpage works just fine.  The PHP of the webpage needs to access files OUTSIDE of /var/www/html to display them.  

SO I dont need people to be able to access PHP.  I need PHP to be able to access files in a different place in the filesystem.  or Atleast know where I have to make a mount point for PHP to be able to read the files in the mount point  

(but preferably not where they can just be accessed by anyone going to the the web page with the right path)

0
 
Ray PaseurCommented:
I do this all the time - put files outside of the WWW root to prevent "accidental" access via a web browser.  PHP can almost certainly access files in a path from /var/ that does not include /www/
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
XetroximynAuthor Commented:
Thanks!

I mounted the files within /var and I am still having problems.   It might just be the php -- but just want to make sure that you dont see any reason PHP should not be able to access the files.

I checked every directory in the path to the file and all are 777 (except var which is 755) and the actual file trying to access is 666.  

0
 
Ray PaseurCommented:
Let's try this... run this script:

<?php phpinfo();

Down near the bottom of the output look for DOCUMENT_ROOT.  To get to files above that you might use something like this:

require_once('../root/data_base_link.php');
0
 
XetroximynAuthor Commented:
the doc_root had not value. DOCUMENT_ROOT was /var/www/html

FYI -- the guy said he can access the files on the back end.  So he said something about how we could have to read the file with php code, and regurgitate it to the page -- like instead of direct access to the file.

does that sound right, or should it be able to just provide direct access to the file, to whoever is logged into the dashboard page.


0
 
Ray PaseurCommented:
That makes sense to me.  On my shared server account the document root says, /home/{ my account }/public_html and while I can get to files above the public_html folder with FTP and with my cPanel controls, I cannot get to them with a web browser.  However, using the ../ notation shown above, I can get to them with PHP, and I can include() them or read and regurgitate with file_get_contents(), etc.
0
 
crazedsanityCommented:
In the original request, you asked if PHP was limited, which it is... sort of.  On a Linux system, it is limited based on the user running it: the Apache webserver generally runs as "nobody", so the files it could read would be limited to whatever the "nobody" user could read (which is basically nothing unless the file/folder in question is readable by anyone).

When accessing files through the webserver via PHP, you would need to explicitly reference the file.  For instance, if you're trying to read the contents of "/var/log/test.log" (assuming it has the afore-mentioned read permissions), the call to read the file's contents would have to be something like:
file_get_contents('/var/log/test.log');

Open in new window

0
 
XetroximynAuthor Commented:
would this include() allow for downloading a binary file, you think?
0
 
crazedsanityCommented:
include() should never be used for anything but a PHP file.  If you want to read in the contents of a file, use file_get_contents().  What kind of file is the afore-mentioned binary file?
0
 
XetroximynAuthor Commented:
Thanks!

An excel or Word document would probably be the most common binary files.

Quick explanation of what this is all about and the goal.  
This is a mostly dashboard, that our clients will use to view html reports of jobs we are running for them. (which reside on a different server) (This part is already working by reading/regurgitating )

However -- we also want to be able to provide any type of file for download.  Word/Excel would probably be the most common.  But also possible SPSS .sav files, etc.  The guy doing the dashboard indicates that this will be more work, than what he has set up that is allowing the dashboard to display html files that reside on the remote server.

0
 
crazedsanityCommented:
If you're looking to allow people to download these files, all you really need is a script that can set a header & then output the file's contents (it might not be the best method, but it seems to work).  I'd do this in a separate file, like "download.php", and just send a _GET var to it indicating what the file is (be careful here; you don't want to allow anybody to just download any file on the server).

Set a "Content-Type" header on that page & set it to "application/octet-stream" or "binary/download" (the second probably isn't a real content type, which forces the browser to download the file).  Then just echo the file_get_contents() results, and you should be good to go.
0
 
crazedsanityCommented:
A note about security: the download script should NOT accept arguments like "download.php?file=/var/file/name"; store some reference into the session, and then have the download page reference that to get the file's path; otherwise, if there is a flaw with the script, it could give malicious people files that contain sensitive data.  I would suggest enforcing only authenticated users can access it.
0
 
XetroximynAuthor Commented:
Thanks!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 6
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now