Stop some scripts from running?

[doubledee]

I am working on a PHP script which allows users to upload their photo.

In the PHP Manual, someone made the following vague suggestion...

http://www.php.net/manual/en/functio...oaded-file.php

Quote:

You can use .htaccess to stop working some scripts as in example php file in your upload path.

use :

AddHandler cgi-script .php .pl .jsp .asp .sh .cgi
Options -ExecCGI

Any idea what this person is recommending?

Sincerely,


Debbie

[Fou-Lu]

That registers all of those file extensions as cgi-script and disables the cgi execution.
A better option would be to move files above the document root where they cannot be read directly with apache.

[doubledee]

Quote:

Originally Posted by Fou-Lu

That registers all of those file extensions as cgi-script and disables the cgi execution.
A better option would be to move files above the document root where they cannot be read directly with apache.

Well, on a related note...

Not knowing anything about server admin stuff, what would I have to do in my PHP script - and on my VPS (Linux) - to allow me to save a user uploaded picture to a directory *above* the Web Root??

Here is a snippet from my "upload.php" script which deals with this part of the entire operation...

PHP Code:

    // Create New Image.

    /* imagegif
     *
     * Takes an "Image Resource Identifier", returned by one of the image creation functions,
     * such as imagecreatetruecolor(), and creates the actual GIF file in
     * the name and location specified in $newFilePath.
     *
     * Returns TRUE on success or FALSE on failure.
     */

    switch ($imageType){
        case IMAGETYPE_GIF:
            $newPhoto = @imagegif($newTrueColorImage, $newFilePath);
            break;

        case IMAGETYPE_JPEG:
            $newPhoto = @imagejpeg($newTrueColorImage, $newFilePath);
            break;

        case IMAGETYPE_PNG:
            $newPhoto = @imagepng($newTrueColorImage, $newFilePath);
            break;

        default:
            $newPhoto = FALSE;
    } 


Is it as simple as changing things from this...

PHP Code:

    // Create New File Path.
    $newFilePath = WEB_ROOT . 'uploads/' . $newFilename; 


...to something like this...

PHP Code:

    // Create New File Path Outside Web Root.
    $newFilePath = DIRECTORY_OUTSIDE_WEB_ROOT . 'uploads/' . $newFilename; 


Sincerely,


Debbie

P.S. Are you gonna reply to my PM to you?

[Fou-Lu]

Yep, it would be pretty much just that. So long as $newFilePath is the path you are writing to, which appears to be exactly that.

[doubledee]

Quote:

Originally Posted by Fou-Lu

Yep, it would be pretty much just that. So long as $newFilePath is the path you are writing to, which appears to be exactly that.

But wouldn't I have to change some settings on the Linux server, or in Apache, or in the PHP.ini file, or even in my PHP script to make sure my script at...

Code:

WEB_ROOT/upload.php

...could Read and Write files to...

Code:

DIRECTORY_OUTSIDE_WEB_ROOT/photos/

Sincerely,


Debbie

[Fou-Lu]

Yep, you may need to change the mode on a directory above. The point is to remove the execution privilege from a directory above the document root. If its above the document root, than Apache should not execute it directly, and you would use PHP to read the directory and serve the images. This way if someone masquerades an executable as a jpeg, the worst case scenario is a garbled image.