[solved]Stop users running PHP scripts they've uploaded

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Grim...
DevNet Resident
Posts: 1445
Joined: Tue May 18, 2004 5:32 am
Location: London, UK

[solved]Stop users running PHP scripts they've uploaded

Post by Grim... »

I'm making an online file storage app, which lets users upload any file they like and store it.
If they write a php script with the right include path to the config.php file (which will be easy as I am going to release the source when it's finished), they can currently upload it and list out all the passwords (or they can write a script which delete folders, or whatever).

Is there any way to stop php scripts (and anything else for that matter) from running in these 'user' folders, while still letting them get at the information that's there?

I've fiddled with chmod, but setting the file to read+write only (ie. no excecute) didn't make any difference.

I'm trying to avoid forcing them to download the file to see it, so if there are other options, that would be great.
Last edited by Grim... on Tue May 01, 2007 9:28 am, edited 1 time in total.
Grim...
DevNet Resident
Posts: 1445
Joined: Tue May 18, 2004 5:32 am
Location: London, UK

Re: Stop users running PHP scripts they've uploaded

Post by Grim... »

Grim... wrote:I'm trying to avoid forcing them to download the file to see it, so if there are other options, that would be great.
Actually, that wouldn't help anyway - once their file exists on the server, they could just browse straight to it.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

mod_rewrite + file_get_contents()
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Use .htaccess to turn the PHP engine off. That stops it cold. :)

http://php.net/ref.apache#apache.configuration
Grim...
DevNet Resident
Posts: 1445
Joined: Tue May 18, 2004 5:32 am
Location: London, UK

Post by Grim... »

I'm a bit crappy at .htaccess, so bear with me:
Do I have to do anything besides create a file called '.htaccess' in the subfolder (with the 'bad' php scripts in) with the contents

Code: Select all

php_flag engine off
Do I need to reload apache or anything?

The reason I ask is because it doesn't seem to work :(

[edit]Hold the phone, it works!
It was just a cached version of the old script I was seeing.
It works for subfolders, too!

Thanks for your time, both :)
Grim...
DevNet Resident
Posts: 1445
Joined: Tue May 18, 2004 5:32 am
Location: London, UK

Post by Grim... »

Quick question that doesn't really deserve it's own thread:
Why won't adding 'php_flag safe_mode off' into the .htaccess file turn off safe mode?
Is it restricted elsewhere?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Note the access permissions level: http://php.net/features.safe-mode#ini.sect.safe-mode
Grim...
DevNet Resident
Posts: 1445
Joined: Tue May 18, 2004 5:32 am
Location: London, UK

Post by Grim... »

Um... Which bit now?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The first row of data in table 42.1.
Grim...
DevNet Resident
Posts: 1445
Joined: Tue May 18, 2004 5:32 am
Location: London, UK

Post by Grim... »

Code: Select all

Name         Default  Changeable 
safe_mode    "0"      PHP_INI_SYSTEM
That bit?

I get the feeling I'm being a bit dumb here, but I'm missing the point...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Look up what PHP_INI_SYSTEM means...

http://www.php.net/manual/en/ini.php#id9555669
Grim...
DevNet Resident
Posts: 1445
Joined: Tue May 18, 2004 5:32 am
Location: London, UK

Post by Grim... »

Durr. Thanks mate.

All over the web, there are reports of other people doing this sucessfully. Sucks to be me.
Post Reply