Page 1 of 1

PHP client security.

Posted: Tue Nov 07, 2006 9:58 pm
by JellyFish
How does the PHP FTP functions fall into the subject of the clients security? I mean, how does the client know if the php script is uploading a file to there local hard drive. I wouldn't think this posible, but. file_get() function is describing how it retrieves a remote file from the FTP server, and saves it into a local file. Now I don't understand how this could be secure for one that is browsing along web pages then come across a php page that downloads a file from the the server. Is there a security alert of some kind?

Am I missing something here?

Posted: Tue Nov 07, 2006 10:06 pm
by brendandonhue
"Local" in the context of a PHP script means the server, not the client's browser.

Posted: Tue Nov 07, 2006 10:47 pm
by JellyFish
So then what does ftp_put() do?

Are you saying that FTP functions have nothing to do with the clients hard drive at all?

Posted: Wed Nov 08, 2006 4:00 am
by ibbo
ftp_put will take a file from your hardrive and put it on the server hard drive.
ftp_get does the reverse.

In both instances you need to login to the server via php's ftp methods so its as secure as ftp is (which sends in clear if i recall so that would make it not very).

ibbo

Posted: Wed Nov 08, 2006 2:54 pm
by JellyFish
That's not what Brendan said. But if what you say is correct (rather then what Brendan says, slightly confused) then how is it secure that a server can upload a file to the clients hard drive without warning? That is, if you are referring to the clients hard drive when you say "your hardrive".

I'm wondering where it's secure for the user to have that going on behind the scenes?

Posted: Wed Nov 08, 2006 3:05 pm
by Luke
The FTP functions allow your server (not your local machine) to connect to another remote server and upload/download files via FTP. They don't upload/download anything from your client machine unless your client machine is an FTP server and the remote server has username/password access in which case you probably would have given them that. They do not upload/download from the client machine. A client machine can upload files via and HTTP form (standard upload) and then transfer them elsewhere with the FTP functions. Does that make sense?

Posted: Wed Nov 08, 2006 3:37 pm
by JellyFish
Yeah, thanks for clearing that up Ninja.

What language should I use that would act as a File Transferrer (download and upload files to and from the clients hard drive) with or without the clients consent? You see I was thinking about doing an Ajax FTP client. Is there other server languages that could do this other then Java, which I know can but I'm not leaning towards apps?

Posted: Thu Nov 09, 2006 5:22 am
by ibbo
"with or without the clients consent?"

No ethics I see.

Your probably asking for some bother if you want to do this. Data protection etc etc springs immediately to mind. Its enough storing cookies on a client machine but actually uploading and downloding from a client machine with or without consent is something I would not do (unless i'm in hacker mode) <- is that what you are ?.

ibbo

Posted: Fri Nov 10, 2006 3:17 pm
by JellyFish
No, but I can see why you would think that. But if you read my last post more carefully, I'm making an AJAX FTP! So, I'm not meaning to do anything malicious, all I'm doing is trying make a FTP with Ajax. I could use java to access the clients hard drive for uploading/downloading but then I'd have to learn java.

When I say "with or without the clients consent" what I mean is:

With i.e. a alert message such as java's;
Without: a programming language that doesn't need an alert message, unlike java, to access the clients computer.

In speculation, I'm always going to have the clients consent to transfer files to and from the server via the UI. So when I say "with or without clients consent" it's referring to the language which can go about transferring files with or without the clients consent.

Now I know there is a language out there that does not need an alert message to transfer (download) a file onto the clients hard drive, how else would there even be malicious websites out there if there weren't. Now don't take that as if I'm going to create one of these sites, I just want my FTP to feel as much as a desktop application as possible.