Hey, i have a problem. I go to upload a file and my server auto sets the permissions of a given file to 0600 so there is no way to view the file without getting an error... can you guys find in my code and replace where i should insert the CHMOD command to set any image uploaded to 0777?

the directory relative to the script is /uploads in my directory tree.

if you guys could get the images to CHMOD after every upload, that would be great! Thanks!!



<?PHP

include("common.php");

include("include/header.php");

if($loggedin){

include("include/accmenu.php");

}



if( $_POST['submit'] && $_FILES['attached']['name'] ){

$ok_filetypes = explode("|",$att_filetypes);

if (!$_FILES['attached']['error'] && $_FILES['attached']['size'] > $att_max_size*1024){

errform('<CENTER>Sorry, but the attached file is too large. Please reduce the size of it\'s contents.</CENTER><BR><BR>'); // #err

$step = 1;

}

$filename = (!$_FILES['attached']['error'] ? substr( basename($_FILES['attached']['name']), -30 ) : '');

$x = strtolower( substr($_FILES['attached']['name'], -3));

if($filename && !in_array($x, $ok_filetypes) ){

errform('<CENTER>Sorry, the filetype you have tried to upload is not allowed.</CENTER><BR><BR>');

$step = 1;

}

if(!$posterr){

if(!isset($_GET["ipaddress"]) || ($_GET["ipaddress"] == "")) {

$ipaddress = $_SERVER['REMOTE_ADDR'];

$local = 1;

} else {

$ipaddress = $_GET["ipaddress"];

$local = 0;

}

$uniq = substr( md5(uniqid (rand())), 0, 10 );

$ext = strtolower( substr($_FILES['attached']['name'], -3));

move_uploaded_file($_FILES['attached']['tmp_name'], $att_path."/".$uniq.".".$ext );

$strQuery = "INSERT INTO images SET ";

$strQuery .= "filename='".$uniq.".".$ext."',";

$strQuery .= "ipaddress='{$ipaddress}',";

$strQuery .= "date='".time()."',";

$strQuery .= "pkey='{$uniq}',";

if($myuid){

$strQuery .= "user='{$myuid}',";

}

$strQuery .= "status='1'";

$result = mysql_query($strQuery) or die( mysql_error() );

$aid = mysql_insert_id();

if($aid){

$filen = $siteurl."/".str_replace('./', '', $att_path)."/".$uniq.".".$ext;

$filen = str_replace('http://','%%',$filen);

$filen = str_replace('//','/',$filen);

$filen = str_replace('%%','http://',$filen);


$step = 2;

}else{

$step = 1;

}

}

}else{

$step = 1;

}





if($step == 1){

?>

<table width="85%" border="0" align="center" cellpadding="0" cellspacing="0">

<tr>

<td>

<div align=center>

<form ENCTYPE="multipart/form-data" method="post" name="form1">

<INPUT NAME="attached" TYPE="file" size="50"><br>

File extensions allowed: <b><?=implode("</b>, <b>",explode("|",$att_filetypes))?></b><br>

File size limit: <b><?=$att_max_size?>KB</b>

<br><br>

<input type="submit" name="submit" value="Upload Image">

</form>

</div>

</td>

</tr>

</table>

<?

}else{ ?>

<div align="center"><b>Your image has been successfully uploaded!</b><br>

<br>

</div>

<table width="85%" border="0" align="center" cellpadding="0" cellspacing="0">

<tr>

<td><div align="center"><img src="<?=$filen?>"></div></td>

</tr>

<tr>

<td><div align="center"><br>

To insert this image in a message board post copy and paste the following

code:<br>

<textarea name="textarea" cols="100" wrap="soft" rows="3"><?=$filen?> (<?=$siteurl?>)</textarea>

</div></td>

</tr>

<tr>

<td><div align="center"><br>

To send this image to friends and family, copy and paste this code: <br>

<textarea name="textarea2" cols="100" rows="4"><?=$filen?></textarea>

</div></td>

</tr>

<tr>

<td><div align="center"><br>

To insert this image using HTML, copy and paste the following

code:<br>

<textarea name="textarea3" cols="100" wrap="soft" rows="3"><a href="<?=$siteurl?>" target="_blank"><img alt="Image Hosted by <?=$sitename?>" src="<?=$filen?>" /></a></textarea>

</div></td>

</tr>

<tr>

<td>&nbsp;</td>

</tr>

</table>





<? } ?>



<?

include("include/footer.php");

?>

after move_uploaded_file:

chmod("/path/to/dir/" . $_FILES['attached']['name'], 0777);

From php.net/chmod:

Note: The current user is the user under which PHP runs. It is probably not the same user you use for normal shell or FTP access. The mode can be changed only by user who owns the file on most systems.

Note: This function will not work on remote files as the file to be examined must be accessible via the servers filesystem.

Note: When safe mode is enabled, PHP checks whether the files or directories you are about to operate on have the same UID (owner) as the script that is being executed. In addition, you cannot set the SUID, SGID and sticky bits. So it may not work.

i don't know php very much, but in perl, you can just say:

system( "chmod 0777 $filename" );

this takes it to the system level, and bypasses PERL's (or PHP in this case) attempt to set the access. PHP might do some checking to prevent this method, I don't know.

i've found that PERL's chmod function doesn't work very well.

You likely don't want to set the file access to 0777, this would allow anyone to rwx (read, write, and execute) the file. Something like 0660 or 0666 would be more appropriate, as it wouldn't give the public the ability to upload and then execute a file containing malicious code.

If safe mode is on, system() and its ilk are disabled. Otherwise, you should be able to use chmod, since the upload would be done as whatever user php runs as.

In both PHP and Perl, be sure to include the leading 0 (0777) to establish the number as octal, or you will get some very strange permissions.

Hmm still not working, just gives me an error....

hmm

'An Error'? It may be gibberish to you, but giving us the error may help diagnose the issue. That's why PHP prints them.