File uploading query

Formant

I'm new to PHP and have just bought a 3rd party PHP File Manager script
called D-man which fits my needs exactly. However, after installing I
noticed I cannot upload any files to my server via the script. It turns out
file_uploads are turned off in the php.ini file on my host. DOH!

I queried my server host and they said, and I quote:

"PHP is still running in safe mode on our servers. This disables PHP upload
meaning it is still not a feature we can offer on our Linux servers. If you
wish to use an upload facility I suggest you use the perl module for
uploads."

Is this right? Is file uploading still a security problem with PHP, they are using PHP v4.0.6 doesnt the new version correct this exploit?

I would like to present a case to them that would change their minds and
upgrade, if that would fix it. Or should I just change host, if so any recommendations for UK hosts.

Another problem is, as I bought a ton of books to learn php, many of the scripts involve uploading. Now I cant follow any of them either :/

Thanks for any suggestions.

cpp2php

hi,

im in a similar (ish) problem. i need to upload some files (big ones) to my hosting server - but the 'virtual dir' ive got doesnt seem to want to work with the file upload methods!

in order to get around this, i decided to write a script to set up an ftp connection - i would just ftp my files to my setup ftp dir.

one problem though. my hosting server dont support the ftp_connect() command. (the one used to set up an ftp connection).

solution? set up a free hosting a/c which lets u execute the ftp_connect() command. then connect (the two computers) using this 'proxy' script.

highly insecure, but good enough to test my php client.

the only thing is, i havent actually found a free php hoster (that lets u exectue ftp_connect() - check my posting 'free php hosting + ftp_connect()' for a list of the ones ive tried so far..

why am i telling you? if i find a free host, ill let u have a copy of the script(s) that i write, if u want? (the script will let u upload local file(s) to a remote ftp dir, via login)

:} later,

CR$
Cambridge, UK

theeper

File upload is insecure depending on the setup of the server. If PHP is a binary and the system is chroot, it probably isn't a great concern. If PHP is an apache mod in a non-chrooted environment, it is certainly a security issue.

cpp2php

thanks for that.

this php/linux/networking stuff is all new to me! but its a powerfull language (like c++) - so im picking up quick time, thankfully.

would it secure the php script abit more if i 'wrapped' all the script all into classes? can u inbed pre-compiled php script tags (to make them unreadable)?

or, is security all down to the server setup. if so, its pretty difficult to dictate server setup terms when your paying for a hosted server!

thanks again, CK

theeper

Check out www.zend.com they have a nice encoding package.