PHP client security.

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

PHP client security.

Post by JellyFish »

How does the PHP FTP functions fall into the subject of the clients security? I mean, how does the client know if the php script is uploading a file to there local hard drive. I wouldn't think this posible, but. file_get() function is describing how it retrieves a remote file from the FTP server, and saves it into a local file. Now I don't understand how this could be secure for one that is browsing along web pages then come across a php page that downloads a file from the the server. Is there a security alert of some kind?

Am I missing something here?
brendandonhue
Forum Commoner
Posts: 71
Joined: Mon Sep 25, 2006 3:21 pm

Post by brendandonhue »

"Local" in the context of a PHP script means the server, not the client's browser.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

So then what does ftp_put() do?

Are you saying that FTP functions have nothing to do with the clients hard drive at all?
User avatar
ibbo
Forum Commoner
Posts: 51
Joined: Tue Sep 19, 2006 6:20 am

Post by ibbo »

ftp_put will take a file from your hardrive and put it on the server hard drive.
ftp_get does the reverse.

In both instances you need to login to the server via php's ftp methods so its as secure as ftp is (which sends in clear if i recall so that would make it not very).

ibbo
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

That's not what Brendan said. But if what you say is correct (rather then what Brendan says, slightly confused) then how is it secure that a server can upload a file to the clients hard drive without warning? That is, if you are referring to the clients hard drive when you say "your hardrive".

I'm wondering where it's secure for the user to have that going on behind the scenes?
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

The FTP functions allow your server (not your local machine) to connect to another remote server and upload/download files via FTP. They don't upload/download anything from your client machine unless your client machine is an FTP server and the remote server has username/password access in which case you probably would have given them that. They do not upload/download from the client machine. A client machine can upload files via and HTTP form (standard upload) and then transfer them elsewhere with the FTP functions. Does that make sense?
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Yeah, thanks for clearing that up Ninja.

What language should I use that would act as a File Transferrer (download and upload files to and from the clients hard drive) with or without the clients consent? You see I was thinking about doing an Ajax FTP client. Is there other server languages that could do this other then Java, which I know can but I'm not leaning towards apps?
User avatar
ibbo
Forum Commoner
Posts: 51
Joined: Tue Sep 19, 2006 6:20 am

Post by ibbo »

"with or without the clients consent?"

No ethics I see.

Your probably asking for some bother if you want to do this. Data protection etc etc springs immediately to mind. Its enough storing cookies on a client machine but actually uploading and downloding from a client machine with or without consent is something I would not do (unless i'm in hacker mode) <- is that what you are ?.

ibbo
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

No, but I can see why you would think that. But if you read my last post more carefully, I'm making an AJAX FTP! So, I'm not meaning to do anything malicious, all I'm doing is trying make a FTP with Ajax. I could use java to access the clients hard drive for uploading/downloading but then I'd have to learn java.

When I say "with or without the clients consent" what I mean is:

With i.e. a alert message such as java's;
Without: a programming language that doesn't need an alert message, unlike java, to access the clients computer.

In speculation, I'm always going to have the clients consent to transfer files to and from the server via the UI. So when I say "with or without clients consent" it's referring to the language which can go about transferring files with or without the clients consent.

Now I know there is a language out there that does not need an alert message to transfer (download) a file onto the clients hard drive, how else would there even be malicious websites out there if there weren't. Now don't take that as if I'm going to create one of these sites, I just want my FTP to feel as much as a desktop application as possible.
Post Reply