[Phpmyadmin-devel] insert/update row with file contents
Hi, is there an option to select a file from a user directory to be filled into a field? if so, than tbl_replace_fields.inc.php handles this, but it uses move_uploaded_file() on this file, did anybody test this this? does this work? move_uploaded_file() should only work on files uploaded by form ... -- Sebastian Mendel www.sebastianmendel.de
Sebastian Mendel a écrit :
Hi,
is there an option to select a file from a user directory to be filled into a field?
Yes, try Insert into a table containing a BLOB.
if so, than tbl_replace_fields.inc.php handles this, but it uses move_uploaded_file() on this file, did anybody test this this?
It has been tested a few years ago.
does this work?
move_uploaded_file() should only work on files uploaded by form ...
On the Insert page, the file is uploaded thru a form. Marc
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Hi,
is there an option to select a file from a user directory to be filled into a field?
Yes, try Insert into a table containing a BLOB.
if so, than tbl_replace_fields.inc.php handles this, but it uses move_uploaded_file() on this file, did anybody test this this?
It has been tested a few years ago.
does this work?
move_uploaded_file() should only work on files uploaded by form ...
On the Insert page, the file is uploaded thru a form.
i am not talking about uploaded files via form, i am talking about the file a user can select when $cfg['UploadDir'] is set if open_basedir restriction is set PMA checks for a directory ./tmp/, only checks, but does not create it, i don't know if this mentioned somewhere in the documentation if this directory exists and is writable, PMA trys to move the file out of the $cfg['UploadDir'] to this tmp-directory with the function move_uploaded_file() ... IMHO this will not work! can anyone confirm? -- Sebastian Mendel www.sebastianmendel.de
Sebastian Mendel schrieb:
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Hi,
is there an option to select a file from a user directory to be filled into a field? Yes, try Insert into a table containing a BLOB.
if so, than tbl_replace_fields.inc.php handles this, but it uses move_uploaded_file() on this file, did anybody test this this? It has been tested a few years ago. does this work?
move_uploaded_file() should only work on files uploaded by form ...
On the Insert page, the file is uploaded thru a form.
i am not talking about uploaded files via form, i am talking about the file a user can select when $cfg['UploadDir'] is set
if open_basedir restriction is set PMA checks for a directory ./tmp/, only checks, but does not create it, i don't know if this mentioned somewhere in the documentation
if this directory exists and is writable, PMA trys to move the file out of the $cfg['UploadDir'] to this tmp-directory with the function move_uploaded_file() ... IMHO this will not work!
can anyone confirm?
after manually creating this ./tmp/ directory in /phpMyAdmin/ move_uploaded_file() returns false - this is what i expected my questions are: is it inetentionally that phpMyAdmin does not try to create this ./tmp/ folder or use a config variable for this? did anyone test if PHP can move a file out of the open_basedir into the open_basedir ??? this would be senseless ... -- Sebastian Mendel www.sebastianmendel.de
Sebastian Mendel a écrit :
Sebastian Mendel schrieb:
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Hi,
is there an option to select a file from a user directory to be filled into a field? Yes, try Insert into a table containing a BLOB.
if so, than tbl_replace_fields.inc.php handles this, but it uses move_uploaded_file() on this file, did anybody test this this? It has been tested a few years ago. does this work?
move_uploaded_file() should only work on files uploaded by form ...
On the Insert page, the file is uploaded thru a form.
i am not talking about uploaded files via form, i am talking about the file a user can select when $cfg['UploadDir'] is set
if open_basedir restriction is set PMA checks for a directory ./tmp/, only checks, but does not create it, i don't know if this mentioned somewhere in the documentation
if this directory exists and is writable, PMA trys to move the file out of the $cfg['UploadDir'] to this tmp-directory with the function move_uploaded_file() ... IMHO this will not work!
can anyone confirm?
after manually creating this ./tmp/ directory in /phpMyAdmin/ move_uploaded_file() returns false - this is what i expected
my questions are:
is it inetentionally that phpMyAdmin does not try to create this ./tmp/
This might be impossible on a server running in safe mode, ownership would be wrong.
folder or use a config variable for this?
Could be done, but I wonder about the permissions.
did anyone test if PHP can move a file out of the open_basedir into the open_basedir ??? this would be senseless ...
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Sebastian Mendel schrieb:
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Hi,
is there an option to select a file from a user directory to be filled into a field? Yes, try Insert into a table containing a BLOB.
if so, than tbl_replace_fields.inc.php handles this, but it uses move_uploaded_file() on this file, did anybody test this this? It has been tested a few years ago. does this work?
move_uploaded_file() should only work on files uploaded by form ...
On the Insert page, the file is uploaded thru a form. i am not talking about uploaded files via form, i am talking about the file a user can select when $cfg['UploadDir'] is set
if open_basedir restriction is set PMA checks for a directory ./tmp/, only checks, but does not create it, i don't know if this mentioned somewhere in the documentation
if this directory exists and is writable, PMA trys to move the file out of the $cfg['UploadDir'] to this tmp-directory with the function move_uploaded_file() ... IMHO this will not work!
can anyone confirm? after manually creating this ./tmp/ directory in /phpMyAdmin/ move_uploaded_file() returns false - this is what i expected
my questions are:
is it inetentionally that phpMyAdmin does not try to create this ./tmp/
This might be impossible on a server running in safe mode, ownership would be wrong.
i didn't tried this, but can't imagine ...
folder or use a config variable for this?
Could be done, but I wonder about the permissions.
i don't understand why this file is moved (or better tried to be moved), if the file can be accessed than i can read in the contents and there is no need to move the file before read in the contents ... i think nijel or garvin did write this code - anyone of you remember why it is/was used this way? -- Sebastian Mendel www.sebastianmendel.de
Hi On Tue, 12 Dec 2006 16:21:28 +0100 Sebastian Mendel <lists@sebastianmendel.de> wrote:
i think nijel or garvin did write this code - anyone of you remember why it is/was used this way?
I didn't write this code, maybe just move it around, but I never used it. -- Michal Čihař | http://cihar.com | http://blog.cihar.com
Michal Čihař a écrit :
Hi
On Tue, 12 Dec 2006 16:21:28 +0100 Sebastian Mendel <lists@sebastianmendel.de> wrote:
i think nijel or garvin did write this code - anyone of you remember why it is/was used this way?
I didn't write this code, maybe just move it around, but I never used it.
I wrote it: http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/tags/RELEASE_2_2_4/p... Marc
Sebastian Mendel a écrit :
Sebastian Mendel schrieb:
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Hi,
is there an option to select a file from a user directory to be filled into a field? Yes, try Insert into a table containing a BLOB.
if so, than tbl_replace_fields.inc.php handles this, but it uses move_uploaded_file() on this file, did anybody test this this? It has been tested a few years ago. does this work?
move_uploaded_file() should only work on files uploaded by form ...
On the Insert page, the file is uploaded thru a form.
i am not talking about uploaded files via form, i am talking about the file a user can select when $cfg['UploadDir'] is set
if open_basedir restriction is set PMA checks for a directory ./tmp/, only checks, but does not create it, i don't know if this mentioned somewhere in the documentation
if this directory exists and is writable, PMA trys to move the file out of the $cfg['UploadDir'] to this tmp-directory with the function move_uploaded_file() ... IMHO this will not work!
can anyone confirm?
after manually creating this ./tmp/ directory in /phpMyAdmin/ move_uploaded_file() returns false - this is what i expected
my questions are:
is it inetentionally that phpMyAdmin does not try to create this ./tmp/ folder or use a config variable for this?
did anyone test if PHP can move a file out of the open_basedir into the open_basedir ??? this would be senseless ...
This is precisely the goal of move_uploaded_file(), to take a file validly uploaded thru PHP and to move it, respecting safe mode and the open_basedir restrictions. Marc
Marc Delisle schrieb:
did anyone test if PHP can move a file out of the open_basedir into the open_basedir ??? this would be senseless ...
This is precisely the goal of move_uploaded_file(), to take a file validly uploaded thru PHP and to move it, respecting safe mode and the open_basedir restrictions.
yes, right, but move_uploaded_file() is used there to move a NOT uploaded file - it trys to move a file placed in $cfg['UploadDir'] by something other than FORM - this should fail! -- Sebastian Mendel www.sebastianmendel.de
Sebastian Mendel a écrit :
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Hi,
is there an option to select a file from a user directory to be filled into a field? Yes, try Insert into a table containing a BLOB.
if so, than tbl_replace_fields.inc.php handles this, but it uses move_uploaded_file() on this file, did anybody test this this? It has been tested a few years ago. does this work?
move_uploaded_file() should only work on files uploaded by form ...
On the Insert page, the file is uploaded thru a form.
i am not talking about uploaded files via form, i am talking about the file a user can select when $cfg['UploadDir'] is set
if open_basedir restriction is set PMA checks for a directory ./tmp/, only checks, but does not create it, i don't know if this mentioned somewhere in the documentation
if this directory exists and is writable, PMA trys to move the file out of the $cfg['UploadDir'] to this tmp-directory with the function move_uploaded_file() ... IMHO this will not work!
can anyone confirm?
FAQ 1.11.
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Hi,
is there an option to select a file from a user directory to be filled into a field? Yes, try Insert into a table containing a BLOB.
if so, than tbl_replace_fields.inc.php handles this, but it uses move_uploaded_file() on this file, did anybody test this this? It has been tested a few years ago. does this work?
move_uploaded_file() should only work on files uploaded by form ...
On the Insert page, the file is uploaded thru a form.
i am not talking about uploaded files via form, i am talking about the file a user can select when $cfg['UploadDir'] is set
if open_basedir restriction is set PMA checks for a directory ./tmp/, only checks, but does not create it, i don't know if this mentioned somewhere in the documentation
if this directory exists and is writable, PMA trys to move the file out of the $cfg['UploadDir'] to this tmp-directory with the function move_uploaded_file() ... IMHO this will not work!
can anyone confirm?
FAQ 1.11.
http://wiki.cihar.com/pma/FAQ_1.11 talks about uploaded files, not files from $cfg['UploadDir'] -- Sebastian Mendel www.sebastianmendel.de
Marc Delisle wrote:
FAQ 1.11.
that doesn't help (at least not under windows) : Warning: fopen() [function.fopen]: open_basedir restriction in effect. File(D:\php1B0.tmp) is not within the allowed path(s): (/HTdocs) in D:\HTdocs\PmaTrunk\libraries\tbl_replace_fields.inc.php on line 45 ---8<--- Inserted rows: 1 Warning (1265): Data truncated for column 'c1' at row 1 SQL query:INSERT INTO `blobUplTest` ( `c1` , `DATE` , `blobF` ) VALUES ( 'after ./tmp creation FAQ 1.11 ;)', '0', '' ); -- View this message in context: http://www.nabble.com/insert-update-row-with-file-contents-tf2807721.html#a7... Sent from the phpmyadmin-devel mailing list archive at Nabble.com.
Jürgen Wind a écrit :
Marc Delisle wrote:
FAQ 1.11.
that doesn't help (at least not under windows) : Warning: fopen() [function.fopen]: open_basedir restriction in effect. File(D:\php1B0.tmp) is not within the allowed path(s): (/HTdocs) in D:\HTdocs\PmaTrunk\libraries\tbl_replace_fields.inc.php on line 45 ---8<--- Inserted rows: 1 Warning (1265): Data truncated for column 'c1' at row 1
SQL query:INSERT INTO `blobUplTest` ( `c1` , `DATE` , `blobF` ) VALUES ( 'after ./tmp creation FAQ 1.11 ;)', '0', '' );
FAQ 1.11 says "Assuming that the restriction allows you to open files in the current directory ('.')" so IMO you need the dot into your open_basedir directive.
Marc Delisle wrote:
Jürgen Wind a écrit :
Marc Delisle wrote:
FAQ 1.11.
that doesn't help (at least not under windows) : Warning: fopen() [function.fopen]: open_basedir restriction in effect. File(D:\php1B0.tmp) is not within the allowed path(s): (/HTdocs) in D:\HTdocs\PmaTrunk\libraries\tbl_replace_fields.inc.php on line 45 ---8<--- Inserted rows: 1 Warning (1265): Data truncated for column 'c1' at row 1
SQL query:INSERT INTO `blobUplTest` ( `c1` , `DATE` , `blobF` ) VALUES ( 'after ./tmp creation FAQ 1.11 ;)', '0', '' );
FAQ 1.11 says "Assuming that the restriction allows you to open files in the current directory ('.')"
so IMO you need the dot into your open_basedir directive.
i don't think so, php.ini says: ; open_basedir, if set, limits all file operations to the defined directory ; and below. ;---8<--- open_basedir = /HTdocs ;TESTING and i have pma in D:\HTdocs\pmaxxxx -- View this message in context: http://www.nabble.com/insert-update-row-with-file-contents-tf2807721.html#a7... Sent from the phpmyadmin-devel mailing list archive at Nabble.com.
Jürgen Wind schrieb:
Marc Delisle wrote:
Jürgen Wind a écrit :
Marc Delisle wrote:
FAQ 1.11.
that doesn't help (at least not under windows) : Warning: fopen() [function.fopen]: open_basedir restriction in effect. File(D:\php1B0.tmp) is not within the allowed path(s): (/HTdocs) in D:\HTdocs\PmaTrunk\libraries\tbl_replace_fields.inc.php on line 45 ---8<--- Inserted rows: 1 Warning (1265): Data truncated for column 'c1' at row 1
SQL query:INSERT INTO `blobUplTest` ( `c1` , `DATE` , `blobF` ) VALUES ( 'after ./tmp creation FAQ 1.11 ;)', '0', '' );
FAQ 1.11 says "Assuming that the restriction allows you to open files in the current directory ('.')"
so IMO you need the dot into your open_basedir directive.
i don't think so, php.ini says:
; open_basedir, if set, limits all file operations to the defined directory ; and below. ;---8<--- open_basedir = /HTdocs ;TESTING
and i have pma in D:\HTdocs\pmaxxxx
if your upload tmp dir (php.ini) is outside from of open_base_dir you can not open the uplaoded file ... using PHP 5.2.0, winxp, Apache tmp_name is even empty -- Sebastian Mendel www.sebastianmendel.de
Sebastian Mendel wrote:
Jürgen Wind schrieb:
i don't think so, php.ini says:
; open_basedir, if set, limits all file operations to the defined directory ; and below. ;---8<--- open_basedir = /HTdocs ;TESTING
and i have pma in D:\HTdocs\pmaxxxx
if your upload tmp dir (php.ini) is outside from of open_base_dir you can not open the uplaoded file ...
using PHP 5.2.0, winxp, Apache tmp_name is even empty
-- Sebastian Mendel
yes, but the FAQ 1.11 says: ...*all* you have to do is create a 'tmp' directory under the phpMyAdmin install directory, with permissions 777 and the same owner as the owner of your phpMyAdmin directory. The uploaded files will be moved there, and after execution of your SQL commands, removed. in addition i second your opinion that there is no need for move_uploaded_file if the file is coming from upload_dir (my upload_dir is inside base_dir) -- View this message in context: http://www.nabble.com/insert-update-row-with-file-contents-tf2807721.html#a7... Sent from the phpmyadmin-devel mailing list archive at Nabble.com.
Jürgen Wind wrote:
Marc Delisle wrote:
FAQ 1.11.
that doesn't help (at least not under windows) : Warning: fopen() [function.fopen]: open_basedir restriction in effect. File(D:\php1B0.tmp) is not within the allowed path(s): (/HTdocs) in D:\HTdocs\PmaTrunk\libraries\tbl_replace_fields.inc.php on line 45 ---8<--- Inserted rows: 1 Warning (1265): Data truncated for column 'c1' at row 1
SQL query:INSERT INTO `blobUplTest` ( `c1` , `DATE` , `blobF` ) VALUES ( 'after ./tmp creation FAQ 1.11 ;)', '0', '' );
ok, my upload_tmp_dir was not inside open_basedir = /HTdocs but this should only be used if the file comes from the "browse/upload from local disk form" -- View this message in context: http://www.nabble.com/insert-update-row-with-file-contents-tf2807721.html#a7... Sent from the phpmyadmin-devel mailing list archive at Nabble.com.
Jürgen Wind a écrit :
Jürgen Wind wrote:
Marc Delisle wrote:
FAQ 1.11.
that doesn't help (at least not under windows) : Warning: fopen() [function.fopen]: open_basedir restriction in effect. File(D:\php1B0.tmp) is not within the allowed path(s): (/HTdocs) in D:\HTdocs\PmaTrunk\libraries\tbl_replace_fields.inc.php on line 45 ---8<--- Inserted rows: 1 Warning (1265): Data truncated for column 'c1' at row 1
SQL query:INSERT INTO `blobUplTest` ( `c1` , `DATE` , `blobF` ) VALUES ( 'after ./tmp creation FAQ 1.11 ;)', '0', '' );
ok, my upload_tmp_dir was not inside open_basedir = /HTdocs but this should only be used if the file comes from the "browse/upload from local disk form"
I looked again at the code. This code has changed a lot since PMA 2.2.4 :) The original code (and FAQ 1.11) was only intended to make HTTP uploads work with open_basedir restrictions, and move_uploaded_dir() only handled uploaded files; the UploadDir mechanism was not related to that. The current code has a lot of problems. For example, fopen() at line 45 $val = fread(fopen($data_file, 'rb'), filesize($data_file)); fails if open_basedir is in effect. There is also the move_uploaded_file() issue you mentionned. Sebastian, are you working on this? If not, I can work on this. Marc
i can confirm that upload from uploaddir fails if base_dir is set to "/htdocs" : Inserted rows: 1 Warning (1265): Data truncated for column 'c1' at row 1 SQL query:INSERT INTO `blobUplTest` ( `c1` , `DATE` , `blobF` ) VALUES ( 'with base_dir restriktions', '0', '' ); but works well if base_dir is not set. -- View this message in context: http://www.nabble.com/insert-update-row-with-file-contents-tf2807721.html#a7... Sent from the phpmyadmin-devel mailing list archive at Nabble.com.
Jürgen Wind schrieb:
i can confirm that upload from uploaddir fails if base_dir is set to "/htdocs" :
Inserted rows: 1 Warning (1265): Data truncated for column 'c1' at row 1
SQL query:INSERT INTO `blobUplTest` ( `c1` , `DATE` , `blobF` ) VALUES ( 'with base_dir restriktions', '0', '' );
yes, this is what i expected, so this piece of code is absolutely useless, if someone places the $cfg['UploadDir'] out of open_base_dir ...
but works well if base_dir is not set.
yes, if open_base_dir is not set, move_uploaded_file() is not invoked -- Sebastian Mendel www.sebastianmendel.de
participants (5)
-
Jürgen Wind -
Marc Delisle -
Marc Delisle
-
Michal Čihař -
Sebastian Mendel