CODEWITHSUNDEEP
phplinuxdirectory
Miomir Dancevic
Miomir Dancevic

Reputation: 6852

Accessing folder outside of website root PHP

I am using some shared hosting and have several websites. Root folder for every website is defined on domain manager. What is need, if it possible, to access some images from another folder that is not i root folder of website.

Example

I have some folder structure

example
demo
pictures
  - 1.jpg
  - 2.jpg

Some website www.example.com is pointed in folder example, but i have some images that are placed in root of my webhosting in folder pictures, folder pictures are not defined with some domain, i can only access them from FTP. For www.example.com website i need to show pictures that are places in picture folder. I know MODx manager works that way, and i think ot is possible, does somebody knows how?

Upvotes: 1

Views: 2828

Answers (3)

LSerni
LSerni

Reputation: 57388

The main problem here is how does PHP run, i.e. under which user.

Case 1: all your sites run as the same user (e.g. miomir:apache).

Then any of your sites can access all data on all of your sites, just by specifying the path, either absolute or relative (i.e. ../../...). To supply that information from the browser side you need to use a script that will take an URL, say img.php?img=nameofimage, and reply with the image taken not from the script's directory but from somewhere else.

You need to verify user parameters to avoid this trick becoming a vulnerability that gives access to everything on your site. For example check that the file exists, that it is in the appropriate folder (strip any other folder with basename() ), and that it is an image (quick way: getImageSize(), which will also allow you to glean the correct MIME type).

Case 2: your sites run with a different user each.

That is, scripts on www.example.com run as exampleuser:apache, www.foo.com is handler by foouser:apache, and so on.

In this case there is nothing you can do by yourself, and if there is, then the same trick would allow you to read any other customer's site, or allow them to read yours. You so don't want to take your custom to such a hosting company: it's a disaster waiting to happen.

There still is something you can do with your host's approval: ask them to change the user on all of your sites so that it is now the same user everywhere. Then apply case 1. Note that this may impact other things such as database connections (if user identity is not supplied directly from PHP, as it usually is). It shouldn't apply to you, most likely it doesn't, but if you hit some troubles that's the likely cause.

On some systems it will be possible for foouser to allow baruser to "sudo" some functions. This usually requires root (i.e. your host's knowledge, approval and possibly work), but in some setups you can do this by yourself. At that point you will be able to run a script with commands such as cat and copy a file to standard output. While possible, it is messy and not really very performant.

A compromise (still requires your host's approval) is to create a user group (miomirgroup), put some users (exampleuser, foouser, baruser...) in that group, then give group read permission to a folder in your own space to group miomirgroup. For that folder only, PHP will behave as if it was case 1.

Upvotes: 1

haseeb
haseeb

Reputation: 682

create a file img.php in the server from which you want to access images

<?php
//add all the image's names to this array for white listing
$images = Array( "1.png",
                "2.png");

if(isset($_GET['image']) AND !empty($_GET['image'])){
  $request = $_GET['image'];
if(in_array($request,$images)){
    header('Content-Type: image/png');
    include_once('/path/to/non-root/folder'.$request);
}
}

now you can access the files using some.thing/img.php?image=1.png

Upvotes: 0

Kristoffer Bohmann
Kristoffer Bohmann

Reputation: 4094

Images will need to be placed in a public folder to be accessible. You can do this by placing your images in the public folder, or by placing a PHP script in the public folder that retrieve the "hidden" images and deliver them open request.

Example 1 - Images in the public folder

For example, let's say "/public" is our public www-folder and "/private" is a folder on the FTP server that cannot be accessed from the web.

You can access the /public folder:

/wwwsites/mysite/public/images/hello.png
Link to image: <img src="/images/hello.png">

You cannot access the private folder since the web server does not allow access. /wwwsites/mysite/private/images/hello.png Link to image: (not possible)

Example 2 - Retrieving "hidden" images using a PHP script http://php.net/manual/en/function.imagepng.php

$im = imagecreatefrompng("test.png");
header('Content-Type: image/png');
imagepng($im);
imagedestroy($im);

Upvotes: 0

Related Questions