2

I have this function on my website where users can create files/edit/delete them, etc. When they make a file, it goes to "www.example.com/site/(their username)/file.php". But, with php they can potentially access files outside of their directory, and I want to limit that with a user-accessible .htaccess file. I have seen I can set open_basedir in .htaccess, but haven't found anything on HOW to set it. I have seen php_value open_basedir "/directory/subdirectory", but when I try it on a file it doesn't work. Any suggestions?

kzhao14
  • 2,470
  • 14
  • 21
  • How are you running PHP? Module? CGI? What value is returned when reading this value from a file accessed within this location? – MrWhite Aug 07 '15 at 16:44
  • Don't know how I'm running PHP, using shared hosting. I'm using a `$cont=file_get_contents("index.php"); echo "";` to check if it works, and all it displays is the textarea with the file contents. – kzhao14 Aug 08 '15 at 00:27
  • You can call `phpinfo()` to see how PHP is being run. Basically, you need to be running PHP as an Apache module to be able to set this in .htaccess, otherwise if you're on FastCGI you'll need to use a `.user.ini` (or per-directory `php.ini`?) file. – MrWhite Aug 08 '15 at 00:41
  • OK, I called `phpinfo()`. What shows how I'm running PHP? – kzhao14 Aug 08 '15 at 00:47
  • "Server API" - near the top. Also what version of PHP? – MrWhite Aug 08 '15 at 00:48
  • LiteSpeed V6.8, PHP version 5.2.17 (for some functional reasons) – kzhao14 Aug 08 '15 at 00:50
  • Ah, your PHP version appears to be a problem unfortunately... you need PHP 5.3+ to be able to further restrict `open_basedir` at runtime. – MrWhite Aug 08 '15 at 00:57
  • OK, thanks. Do you have any suggestions on how I could restrict it? – kzhao14 Aug 08 '15 at 01:00
  • Just the usual file perms. Only make editable (by PHP) what needs to be editable. Make sure that user editable content is quite separate from any of your core files. – MrWhite Aug 08 '15 at 01:06
  • 1
    I have many files, is it possible for me to change permission for all files at the same time? – kzhao14 Aug 08 '15 at 01:08
  • I wish this question had been answered as asked. I'm having trouble writing a file into a full rwx directory with NO basedir according to phpinfo. – David Spector Oct 14 '18 at 22:15

1 Answers1

1

in a root page like index, execute the PHP command echo __DIR__ put the result folder in your htaccess like php_value open_basedir "result".

Check it in any page with PHP command phpinfo()

Joao Pedro Esteves
  • 21
  • 2