upload php script

**jaytee** · 11-01-2006

Anyone know of a simple(ish) upload script in php.

I've looked at the thread http://forums.Ariotek.com/showthread.php?t=507 (Darren's upload script?), but although it says 1 file attached, I can't seem to get at any files in that thread.

Either a link to another script or if someone has the files from the above thread that would be good too.

Thanks.

**Darren** · 11-01-2006

Files attached. there from my site so need editing...

hope it helps

**Darren** · 11-01-2006

attached

**jaytee** · 11-01-2006

Thankyou, much appreciated.

**jaytee** · 11-01-2006

Is there any way to get away from having the "upload" directory world writeable? Is there some PHP configuration required?

**Darren** · 12-01-2006

change directorys edit values in script. and url's, and yeh the directory has to be 666 / 777 cmod...

**jaytee** · 12-01-2006

I guess paranoia doesn't suit me well

I'm not too trusting when it comes to the Internet, so I'll make the directory password protected as I don't want unauthorised use of the upload facility. Problem is that, using .htaccess, I think I have to have regular users logon just to see any files I have uploaded.

Under what context do php scripts run on these servers? I guess its not root and sort of assume that it runs as nobody or something similar.

It would be nice if somehow I could run a php script under the logged-in user context, so if I logged in I can upload, but if another user connects or logs on, they can only view files. I guess I could use a passwd file and write some php script to authenticate the user? Any examples gratefully received.

Any other ideas?

**Darren** · 13-01-2006

just make a php login on the upload page. easy enough

extra 2 box's on the index page (uname & pword) post to upload.php

top of upload.php

PHP Code:


 <? if($_POST[pword] == "mypassword" && $_POST[uname] == "user"){
// rest of upload code. 

// bottom of page
}
else exit("Invalid loggin infomation!");

**jaytee** · 14-01-2006

Stick this in the top of your php page and you get a browser authentication dialog. It should work with regular .htpasswd files and .group files.

The passwords generated here work okay.

PHP Code:


 
$AuthUserFile = file("/path/to/.htpasswd");
$AuthGroupFile = file("/path/to/.groups");
$group = "groupname";
$realm = "Authorisation Required";

function authenticate(){
   header("WWW-Authenticate: Basic realm=\"$realm\"");
   header('HTTP/1.0 401 Unauthorized');
   echo "You must enter a valid user name and password to access the requested resource.";
   exit;
}

for(; 1; authenticate()){
   if (!isset($HTTP_SERVER_VARS['PHP_AUTH_USER']))
       continue;

   $user = $HTTP_SERVER_VARS['PHP_AUTH_USER'];
   if(!preg_grep("/\b$user\b/", preg_grep("/^$group:/", $AuthGroupFile)))
       continue;

   if(!($authUserLine = array_shift(preg_grep("/$user:.*$/", $AuthUserFile))))
       continue;

   preg_match("/$user:((............).*)$/", $authUserLine, $matches);
   $authPW = $matches[1];
   $salt = $matches[2];
   $submittedPW = crypt($HTTP_SERVER_VARS['PHP_AUTH_PW'], $salt);
   if($submittedPW != $authPW)
       continue;

   break;
}

echo "Password Verified!"
?>

I took some of the code from php.net user comments. But the regex part was wrong in the examples given, so it was a pain to debug. It's helped me learn a bit about regex, preg_grep, crypt and salts.

I hope my pain is of some use to someone else