File Upload and Unix/Linux

Anon

Hi everybody,

I have a little problem. I want to upload a file via a form.

I know that I have to copy the it like this:

$thefile = stripslashes($thefile);
if (($thefile <>"none") && ($thefile <> "")) {
$dest=$neu_id."_".$thefile_name;
if (copy ($thefile, $dest) ) {
echo "$thefile_type was uploaded<br>\n";} else
{echo "not uploaded !!!<br>\n";}
}
else {echo "some mistake !!!!";}

But the browser then returns :
Unable to create '20_thefile': Permission denied in ./upload.inc on line 57

(line 57 is the one with the copy)

What can I do, I don't know much about Linux/Unix and file permission

Thanx for your time,

Andy

Anon

Your httpd server (probably Apache) should be
running as user nobody, group nogroup (or something simular).

This account doesn't have many permissions. It should be able to read the files with your php scripts, but not be able to write to the directories containing those scripts.

That seems to be exactly what is happening, and it's a good thing.

Instead, create a directory for the uploads to go to, change the permissions so it is owned by the same user:group as the httpd deamon runs as (check the configuration files for your httpd), or simply use the /tmp directory.

By the way, you probably want to take more care in how you treat the filename, because that is esentually user-input. It could include semi-colons and pipes and other nasty tricks aimed at getting your system to do something dumb. Picking your own filename is a good idea. If you really want to keep their filename, you should do more work making sure it is harmless.

Anon

Another suggestion, since you have to good fortune to be running this on Linix: don't copy the file, create a link instead (using, naturally, the link() function.) That way no data is copied, but only a new directory entry is created. All the advice Nathan gives about permissions and directories applies here, too.

Anon

"Instead, create a directory for the uploads to go to, change the permissions so it is owned by the same user:group as the httpd deamon runs as (check the configuration files for your httpd), or simply use the /tmp directory."

Could someone explain this a bit more? I'm having problems with uploading files. They get a s far as the php temp dir but I can't copy them out due to safe mode.

So I create a directory in my home space, called e.g. upload and then change the permissions for it to what? How do I find the user:group for the httpd deamon? The server is on the other end of a phone line at the ISP and I haven't got a clue when it comes to Unix. I've found out that Apache is running as 99:99 - is this the value I set my directory "upload" to? If I do this, can I still get to this directory? Thx.