Best way to move files with php

Report · Oct 12, 2011

Hey all,

I've created an "Update Item" Page where the user is able to move the item from one catergory to another, however, each item has an image so the image needs to be able to move to the correct folder if the user moves the item.

Here is the code I wrote based on what I have found on the web.

A) It doesn't work

B) I've now learned this could open the site up to massive security risks.

if (array_key_exists('submit', $_POST)) {

$oldPath = $row_rsImages['parentPage'];

$newPath = $_POST['parentPage'];

$file = $row_rsImages['imageURL'];

copy('../images/photography/$oldPath/$file', '../images/photography/$newPath/$file');

}

Any ideas or pointers would be very welcome at this moment in time!

Cheers

T

Report · Oct 12, 2011

I guess it depends on why the images are in specific folders in the first place, and how important that is. In the grand scheme, it doesn't matter where the images actually are, because you can use different ways to link to them. Also I'm assuming that the update page "moves" the item to a different category by updating the category name or value in the item's record.

I'm not familiar with the code that copy's a file from one place to another, but do do this you do have to have write permissions set on the destination folder. And yes, any time you set permissions to anything higher than read only, that does increase vulnerability. Still, the practice is not unheard of - certain applications that provide users ability to upload files do require an upload folder with write permissions - so you should be Ok as long as you're careful to only include a particular folder or folders, and not others, or the site root, or anything like that.

Further, you can add additional security if the users that use the feature have to log in - then you can protect each of the pages with page restrictions that check for the user log in as well as a certain access level.

Report · Oct 13, 2011

Thanks.

When they change page/folder for the photo it updates the database, so if the file has not moved, it will not display as the database will be pointing the browser to another location. Do you see what I mean? I guess it doesn't have to be like that, I thought it would just be another way to avoid the user uploading files with the same name and having to re-name them (maybe a bit too careful!).

Yep, I've set the file permission to write and the user has log in details with page restrictions on each page so all is good there.

Report · Oct 13, 2011

Yep, I understand - when the user changes the category, that also updates the path to the related image. And, it sounds like you are using different folders for different categories, so is it more of an organizational thing?

I'm not trying to push yo into a different solution only because I don't know the answer to your original question, but I still would just use a single folder for all the images. If users have upload capabilities, then the folder would be by itself in the root with the correct permissions. All the sorting and filtering is done on the display pages according to the database values, User ID, category, etc.

If there's an issue with duplicate file names when a user uploads a new image, having different destination folders will decrease that possibility, but won't eliminate it. That's why the upload script should have provisions for what to do when it encounters an existing file name, to over write the file, or modify the filename. And the final version of the uploaded filename is what gets passed to the insert or update script to store it in the database.

I realize that this would require changing a number of things in your application - insert and update forms, the pages that display the images, etc and that getting the move script to work would be a quicker fix. You may ALS want to try to find out more about why that script would present any security risks in addition to just having a folder or folders with write permissions as upload repositories.

Report · Oct 14, 2011

Yep, fair enough, you've convinced me.

I would of put validation script for the upload form in either case and I haven't gone too far with it so I guess there is no real need to worry.

Thanks for your advice.

Report · Oct 14, 2011

You're welcome. Keep us posted on your progress. I love building these kinds of applications, don't get to do it enough. So the next best thing is seeing someone else's work!