Override Temporary Folder?

Is there a way to define in my PHP script where a File is uploaded to?

I believe this is defined in the php.ini file, right?

If so, what code would I be looking for in the php.ini file?

Why does HTML or HTTP or whatever have to upload a file to a “temporary” location in the first place??

Thanks,

Debbie

The upload_tmp_dir directive (A quick Google would’ve pointed you in the right direction here).

I don’t know. I’d guess, because otherwise, it’d have to be held in RAM which is usually a premium on web servers.

[quote=“AnthonySterling,post:2,topic:11203”]
The upload_tmp_dir directive (A quick Google would’ve pointed you in the right direction here).

Funny, I Google “upload_tmp_dir” and “upload_tmp_dir directive” and it didn’t yield anything useful…

I don’t know. I’d guess, because otherwise, it’d have to be held in RAM which is usually a premium on web servers.[/QUOTE]

If I am trying to upload “some/path/to/doubledee.jpg” then why wouldn’t PHP just upload “doubledee.jpg” and be done with it?!

What sense does it make to take “doubledee.jpg” and upload it as “some_temp_file.jpg” and then force me to move and rename it to “doubledee.jpg” ?! :rolleyes:

Debbie

Because the temp file is stored in a place the user doesn’t have access to (and on a really good setup it is stored in a /tmp that is mounted using ]samp]noexec` so it doesn’t allow anyone ~not even root~ to execute anything in there).
So users can’t upload a malicious script and then execute it if you don’t move it somewhere they can actually access it. This gives you time to inspect the file and see if it is what it claims to be; if it is move to the correct location, if it isn’t discard it.

Now you will probably ask why you could not upload it to the path you want it to and delete it if you detect it’s malicious, to which I will say: think about what would happen if the user aborted their upload half way through (or even up to a specific point, which you could do if you have full control over the HTTP connection).

Nobody forces you to do anything btw, there are legitimate uses for uploading a file, reading it, and then discarding it (like reading data from CSV files and inserting that data in a database for later use for example).

How do I do that?

In Apache?

So users can’t upload a malicious script and then execute it if you don’t move it somewhere they can actually access it. This gives you time to inspect the file and see if it is what it claims to be; if it is move to the correct location, if it isn’t discard it.

So anything a User uploads is stored in some temporary and secret area?

Where is the Upload actually stored?

Don’t I need to know that as the developer?

Can I modify where the Temporary File is stored?

I mean what if it is stored somewhere where I don’t want or that is not secure?

Or can I just trust that PHP knows what it is doing?

Now you will probably ask why you could not upload it to the path you want it to and delete it if you detect it’s malicious, to which I will say: think about what would happen if the user aborted their upload half way through (or even up to a specific point, which you could do if you have full control over the HTTP connection).

That seems like an incomplete thought?! I don’t follow you…

Once a File has been uploaded and converted…

  • What kind of Folder do I want to use - permissions wise?

  • Where do I want to be storing the uploaded Images?

Debbie

Depends on the OS, Linux and Windows have different permission schemes.

So anything a User uploads is stored in some temporary and secret area?

Where is the Upload actually stored?

Linux: /tmp
Windows C:\Windows\Temp or C:\Users\[username]\AppData\Local\Temp or C:\Documents and Settings\Local Settings\Temp

Don’t I need to know that as the developer?

Not really.

Can I modify where the Temporary File is stored?

Yes.

Or can I just trust that PHP knows what it is doing?

Do you trust yourself?

No it’s a mounting option for /tmp you can set up in your stab file (usually /etc/fstab).

I don’t know about secret, but temporary yes.

What @logic_earth; said.

The default path (/tmp) is okay to store these files.

If you don’t you’d probably need to find some other programming language eh? :wink:

That’s probably because it is an incomplete though, for you to finish … :wink:

Once a File has been uploaded and converted…

Just a folder that Apache can read will suffice

I always store them something “above” the public_html and when I need them to show to visitors I either let PHP stream it, or pre-process and copy it to the public_html somewhere.