Can't upload file to apache server

[gproduct]

I have a php script that is used for uploading image to a folder in the /var/www/html folder.

Code: Select all

<?php
        $target_path = "uploads/";

$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);

if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "The file ".  basename( $_FILES['uploadedfile']['name']).
    " has been uploaded";
} else{
    echo "There was an error uploading the file, please try again!";
}
?>

THere is always the error message poping out. I tried giving permission to the folder and the script but it won't work.
Any suggestions?

Thanks

[pksato]

Hi.
You don't want do upload file via insecure http post, right?
File upload via http post is the way to gain access to you server. Attacker Install some malware, and make you RPi a zombie.

If you really want to upload files, need to make it very secure.
Don,t use relative path, always use full path.
Not use:
$target_path = "uploads/";
Use:
$target_path = "/var/www/uploads/";
Or better, don't use public directory, instead use some other place.
$target_path = "/some/where/uploads/";
And make a server alias to this location.
Sanitize all external variables. from POST, GET, SERVER, FILE, etc.
PHP have a lots of function do it.

Upload directory need to be writable by user or gorup that run httpd (apache, or other). On debian is the www-data.
sudo chwon www-data:www-data /some/where/uploads/
sudo chmod u+rwx,g+rx-w,o-rwx /some/where/uploads/

I recommend to disable php (and other cgis) on this directory. And restrict file type to images, and other safe files (no .html, no .js).
It can be done on .htaccess file.

Code: Select all

php_flag engine off
Options -ExecCGI
order allow,deny
<Files ~ "\.(jpg|jpeg|png|gif|pdf|txt|bmp)$">
   allow from all
</Files>

And other security measures.