SitePoint Sponsor |
|
User Tag List
Results 1 to 14 of 14
Thread: Need help with htaccess and PHP
-
Nov 23, 2006, 13:05 #1
- Join Date
- Nov 2006
- Posts
- 7
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Need help with htaccess and PHP
Hello,
I am making a hosting script where users can upload files to it. It would automatically create a directory when you create an account for the user.
Now my question is, since the directory will be able to upload all kinds of files, is there some way in htaccess to make it so that php cant access outside that directory. (i know readfile() can view files outside their directory).
Is there any way to prevent the users from getting access outside their directories so that they cant mess up other users files.
Thanks for your time.
Mike
-
Nov 23, 2006, 13:12 #2
- Join Date
- Aug 2000
- Location
- Philadephia, PA
- Posts
- 20,578
- Mentioned
- 1 Post(s)
- Tagged
- 0 Thread(s)
If you don't leave any holes in your script, they're not going to be able to get outside their directory... you prevent access by not providing it in the first place.
Try Improvely, your online marketing dashboard.
→ Conversion tracking, click fraud detection, A/B testing and more
-
Nov 23, 2006, 13:16 #3
- Join Date
- Nov 2006
- Posts
- 7
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
But when you first make the directory automatically, it has to be 777 so that the users can access it right? (and so all the user directories are going to be 777).
If they are all 777 (so the user can upload/create/delete/etc), there has to be something to restrict them so they cant do stuff in other people's directories.
Thanks for your time
-
Nov 23, 2006, 13:33 #4
- Join Date
- Aug 2000
- Location
- Philadephia, PA
- Posts
- 20,578
- Mentioned
- 1 Post(s)
- Tagged
- 0 Thread(s)
You mean other people with shell access to the server? Not your website users?
Try Improvely, your online marketing dashboard.
→ Conversion tracking, click fraud detection, A/B testing and more
-
Nov 23, 2006, 13:34 #5
- Join Date
- Mar 2006
- Posts
- 6,132
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
if you want to allow them to upload php scripts, youre playing with a lot of fire.
creating apache virtualhosts and applying a php open_basedir restriction sounds kinda like what youre after. but theres many other possibilities you must consider.
-
Nov 23, 2006, 13:36 #6
- Join Date
- Nov 2006
- Posts
- 7
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I mean that i am making a hosting script and so when a user signs up, the server will automatically create a directory for him.
For him to access that directory, he will need 777 since he didnt create it (i think). And so when lots of users create an account (directory), all will be 777.
This is not safe since any user could use readdir() to read other users directories and find their code and do other things. Is there any way to prevent this?
Thanks
-
Nov 23, 2006, 13:38 #7
- Join Date
- Aug 2000
- Location
- Philadephia, PA
- Posts
- 20,578
- Mentioned
- 1 Post(s)
- Tagged
- 0 Thread(s)
So you're actually providing web hosting with full access to the user's directory.. in which case, you should be creating actual users on the server, and home directories owned by those users, which aren't accessible by other users.
Try Improvely, your online marketing dashboard.
→ Conversion tracking, click fraud detection, A/B testing and more
-
Nov 23, 2006, 13:40 #8
- Join Date
- Nov 2006
- Posts
- 7
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
mm. ok and one last thing. Since php isn't safe, i was wondering if there was a way to completely restrict php from being uploaded or ftped or not run.
Any way to do this?
-
Nov 23, 2006, 13:42 #9
- Join Date
- Aug 2000
- Location
- Philadephia, PA
- Posts
- 20,578
- Mentioned
- 1 Post(s)
- Tagged
- 0 Thread(s)
PHP isn't the only programming language your server has interpreters for. And restricting what types of files can be uploaded over FTP is not simple (we don't even know what FTP server you run) nor foolproof.
Why don't you just run one of those web hosting control panels that handles creating real users accounts and such properly?Try Improvely, your online marketing dashboard.
→ Conversion tracking, click fraud detection, A/B testing and more
-
Nov 23, 2006, 13:45 #10
- Join Date
- Nov 2006
- Posts
- 7
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Im interested in experimenting with php and mysql. I want it to be able to run on a shared server (if need be) and so i was just wondering how to do these things.
Any feedback will help. Thanks.
Update: Right now im experimenting with php on cpanel.
-
Nov 23, 2006, 14:07 #11
- Join Date
- Nov 2006
- Posts
- 7
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Hey thanks for all your help. I figured out how to do this. All i did was use php.ini to enable safe_mode and disable dangerous function like phpinfo(), etc.
Thanks again
-
Nov 23, 2006, 14:10 #12
- Join Date
- Mar 2006
- Posts
- 6,132
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
mikewalterz, i dont think you understand enough about unix filesystem permissons, webservers, and different scripting languages to do this.
safe_mode does NOT acheive what you just asked for.
-
Nov 23, 2006, 14:21 #13
- Join Date
- Nov 2006
- Posts
- 7
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
o mmm. Here was my php.ini file. Do you think it may stop bad scripts?
Code:safe_mode = On safe_mode_gid = On disable_functions = "dl,phpinfo,shell_exec,passthru,exec, popen,system,proc_terminate,proc_close" open_basedir = 1 max_execution_time = 30 error_reporting = E_ALL display_errors = Off display_startup_errors = Off html_errors = Off log_errors = On error_log = /var/log/php/errors
Thanks for your help.
-
Nov 23, 2006, 14:48 #14
- Join Date
- Aug 2000
- Location
- Philadephia, PA
- Posts
- 20,578
- Mentioned
- 1 Post(s)
- Tagged
- 0 Thread(s)
No amount of changing your php configuration changes the fact that filesystem functions in any scripting language will access any file in any of your users' directories. You can't offer full-blown web hosting within a shared hosting account.
Try Improvely, your online marketing dashboard.
→ Conversion tracking, click fraud detection, A/B testing and more
Bookmarks