473,321 Members | 1,667 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,321 software developers and data experts.

Dynamic open_basedir

rohypnol
Hello,

Is it possible to have a dynamic open_basedir, depending on the URL? I'm running PHP 5.2.latest, Apache 2.latest on Windows XP SP3.
My goal is to restrict scripts' access to their folders, so that c:\apache\htdocs\username\script.php has open_basedir set to c:\apache\htdocs\username and can be accessed by http://username.server.com/script.php or http://www.server.com/username/script.php; the url format doesn't matter.
Jul 14 '08 #1
6 2739
pbmods
5,821 Expert 4TB
Heya, Rohypnol.

Keep in mind that open_basedir will be removed in PHP 6, so this would just be a temporary patch.

You might be able to set this value using .htaccess files (http://www.karakas-online.de/EN-Book...arameters.html).
Jul 14 '08 #2
Hello pbmods,

I've tried setting the open_basedir value from .htaccess but it doesn't seem to work. I've tried different variations of
Expand|Select|Wrap|Line Numbers
  1. php_value open_basedir "z:/public/tom/"
(adding an equal sign before the value, with and without quotes, \ and \\ in stead of /) but nothing seems to work. Apache-specific settings work fine.

Are you aware of an easy way to limit file access to the execution directory and it's sub-directories, forbidding scripts to access parent directories?
I have Z:/public/ where I'd like to create many sub-directories and everything inside each sub-directory shouldn't have access to Z:/public/ nor it's parents. If possible, I'd like to avoid using
Expand|Select|Wrap|Line Numbers
  1. open_basedir = .
in php.ini so scripts could access files in sub-directories.
Running PHP 5.2.x, Apache 2.2.x on Windows XP.

Thanks,
Tom
Jul 16 '08 #3
pbmods
5,821 Expert 4TB
Heya, Tom.

Unless you're allowing Users to execute arbitrary code on your server, I'm not sure I understand why you need a dynamic open_basedir.

Perhaps there is an alternative solution to the problem you are facing. What is your script designed to do?
Jul 20 '08 #4
It was supposed to stop users from accessing other users' files. I wanted to setup a free PHP host to which people could subscribe based on an invitation. I found a FTP server which was easy to control by adding a user/password in a text file (it re-read the config file every time someone tried to connect) so all I needed was some way to limit users' access to their folders.

Thanks for your help anyway :)

Regards,
Tom
Jul 29 '08 #5
pbmods
5,821 Expert 4TB
You can simulate open_basedir by comparing the file path based on who's logged in.

As an example, let's say you organize your filesystem by User ID, and all files are stored in "/www/userfiles/".

If User 3 is logged in, you would check to make sure that the path starts with "/www/userfiles/3/". Use realpath() to make sure the User doesn't use filepath injection (http://php.net/realpath).
Jul 29 '08 #6
You can simulate open_basedir by comparing the file path based on who's logged in.
Sorry, I want to allow them to run their own PHP scripts, which means that I have no control over what they do except for the open_base dir and disable_functions php.ini settings.

Thanks anyway :)
Jul 29 '08 #7

Sign in to post your reply or Sign up for a free account.

Similar topics

1
by: Felix Natter | last post by:
hi, I read the section about open_basedir in the safe_mode documentation (http://de3.php.net/features.safe-mode) but this only confirmed my understanding of open_basedir and didn't help...
7
by: Paul | last post by:
Hi Im testing a script to see if it works in different situations and open_basedir is one of them. However if i turn it On all i get is errors Warning: Unknown(): open_basedir restriction in...
3
by: Alvaro G Vicario | last post by:
This is the open_basedir restriction of my site: php_admin_value open_basedir /tmp/:/home/site/ All my PHP files are under /home/site/htdocs. However, I get lots of errors like: Warning:...
0
by: Chris Ritson | last post by:
I am setting open_basedir to include only the DocumentRoot and PHP installation tree in 16 out of 18 VirtualHosts on our (test) apache server. This is running apache 2.0.53 and PHP 5.0.3. If I...
2
by: Brandons of mass destruction | last post by:
I'm trying to turn off open_basedir, and according to php.info, I've managed to do that in the master value column, by editing the php.ini file. But it's still on as local value for several...
0
by: jeff.battle | last post by:
I'm trying to get PEAR DB to work on my machine at serverbeach but I'm getting the following error: Warning: main(): open_basedir restriction in effect. File(/usr/share/pear/DB.php) is not...
0
by: erwinschrijver | last post by:
On a previous installed server my site which uses several PEAR-packages worked fine. Now it's transfered to a new server. (Both servers installed with Windows 2003 / IIS 6, on the previous server...
6
by: lawrence k | last post by:
If I ssh to my server and look at the php.ini file, it apears that open_basedir is off: ; open_basedir, if set, limits all file operations to the defined directory ; and below. This directive...
2
by: rdlowrey | last post by:
Okay, I've tried a bunch of things on this one and can't figure it out. The line in my phpinfo: open_basedir /var/www/vhosts/mysite.com/subdomains/intranet/httpdocs:/ tmp no value Why would...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.