-1

To keep things short, I'm making a very simple file uploading script. What I need to do, is take the file that was just uploaded, save it to the directory that is specified, and make the file read only/non executable. Why? Well, if somebody were to upload a PHP script to show somebody, the script wouldn't be allowed to run, instead, it would just show the actual text of the file.

I've been trying to do this with chmod(), but nothing has worked.

$target_directory = "./" . $_POST["directory"] . "/"; // The target directory to put the file.

$file_name = $_FILES["file"]["name"]; // The name of the file being uploaded (Example: file.ext)

$target_file = $target_directory . $file_name; // The more compiled target file/location. (Example: /folder/file.ext)

if (move_uploaded_file($_FILES["file"]["tmp_name"], $target_file)) {
    echo "The file was uploaded. at <a href='" .$target_file ."'>".$target_file ."</a>";
    chmod($target_file, 0644);

What kind of code would I need to write to make chmod() work, or to set the directory/file to not execute?

Pips
  • 1
  • 3
  • Need to see full uploading code and where you're storing the uploaded file(s). Otherwise, add error reporting to the top of your file(s) right after your opening PHP tag for example ` – Funk Forty Niner Mar 24 '15 at 18:16
  • Does the PHP or server user (where PHP runs, not your admin login user) have permissions to edit that directory? – Robert Dundon Mar 24 '15 at 18:19
  • Even if a PHP file is read-only and not-executable, it will still be processed as PHP code. You need to change the "php" extension to "phps" when saving the file. – kainaw Mar 24 '15 at 18:21
  • @Fred-ii- There are no errors, it's just still allowing me to execute a php script if I upload one, instead of making it read-only. – Pips Mar 24 '15 at 18:22
  • @RobertDundon It has full permission. – Pips Mar 24 '15 at 18:23
  • If the file is read only it still allow web-server to execute the file. – winston86 Mar 24 '15 at 18:24
  • @kainaw I'm not interested in renaming the file, that defeats the point of uploading as that kind of file. I'm interested in keeping the exact file that was uploaded, just now allowing the PHP core to process it. – Pips Mar 24 '15 at 18:25
  • On my server and by default, uploaded files are automatically set to 644, so I don't see the need to chmod it, unless your server's setup to set those permissions to something other than 644. – Funk Forty Niner Mar 24 '15 at 18:39

2 Answers2

-1

You can create redirect in .htaccess and handle output by using echo file_get_contents();

winston86
  • 159
  • 1
  • 8
  • .htacces Like: `RewriteEngine On RewriteCond "%{SCRIPT_FILENAME}" "(.*)\/my_special_folder\/(.*)\.php" RewriteRule "^(.*)\/(.*)\.php$" my_php_file_viewer.php?my_file=$2` And my_php_file_viewer.php Like: `echo file_get_contents($_GET['my_file'].'.php');` ` – winston86 Mar 04 '19 at 16:30
-1

I fixed it myself, using .htaccess.

By using php_flag engine off to turn off PHP processing, and ForceType text/plain to force the server to serve .php files as if it was a text document.

Pips
  • 1
  • 3