Reputation: 119
Display source of PHP of files
Im working on an upload script, and i want a user to be able to upload any file. I had it al working on localhost, i added
php_flag engine off
AddType text/plain php html shtml php5 php4 php3 cgi asp aspx xml
to my htaccess in the upload folder, and it showed the source of PHP, html and all other files. Exactly as i wanted to. Now i tried to upload it to a real webserver, and unfortunately my host does not allow such .htaccess files.
I tried openinging the files with file_get_content() and fopen() and giving them a text/plain header.. but nothing works. It first executes the scripts and shows the output in my textarea.
Do you guys have any suggestions on how i can fix this without .htaccess ?
Thanks!
Upvotes: 0
Views: 697
Answers (1)
Reputation: 522461
Don't upload files into the webroot and let people access them directly. As you say, .php scripts (and probably a lot more) get executed that way. A classic way for arbitrary code execution attacks.
Store uploaded files outside the webroot where they're not publicly accessible and create a script that allows users to download the files, for example using readfile or Apache mod_xsendfile, after having done the necessary permission checks.
Also see Security threats with uploads.
Upvotes: 1
Related Questions
- Get current .htaccess directory from PHP
- get root folder in each php file
- How to get the filenames of all the php files which generates a webpage?
- Finding the php file which is executed (the name is hidden by .htaccess)
- How to find out a php file is included or accessed directly?
- Find what files were opened to generate PHP page
- How to get source file by php script from .htaccess Action/AddHandler
- See which files are forming a specific php page?
- check the source of a file
- Figuring out which files are included rendering a URL with PHP