uploading via PHP over SSL

Discuss Programming
byrdman
administrator
administrator
Posts: 225
Joined: Thu May 08, 2003 1:59 pm
Location: In the cloud

uploading via PHP over SSL

Post by byrdman » Mon Nov 03, 2008 10:38 pm

I have a problem with php uploads via SSL. I was wondering if I could get some ideas on what could be the problem. I have a site that was custom written by a previous employee, that I inherited. PHP uploads worked. I implemented SSL, and thanks to Void, got the mod_rewrite working correctly (see mod_rewrite post in the Fedora/Red Hat Forum). One thing I did not test is the uploads. When you go to the upload page it will let you select the file on the local file system but once you hit upload it will respond differently depending on the browser. IE will say File was uploaded correctly but the file is not on the web server file system - of which has permissions for writing. In Firefox 3.x - it doesn't appear to respond back with any response/error. I am at home and do not have the code, logs, etc right now but if anyone has a tip, like "try this" or "check out this", I would be grateful. If anyone is interested in helping me solve it, I can start pasting the php_error logs the code and stuff tomorrow. Just looking for places to start my investigating.

The system is Apache 2.x, PHP 5 and MySQL. more detailed versions to come...but I have a feeling that it has to be something with implementing SSL since it worked just fine over port 80. Thanking you all in advance.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Tue Nov 04, 2008 12:58 pm

Could it be that you put in the rewrite lines in Apache to force the browser to be "redirected" to port 443 if it started on 80 but didn't change your PHP upload code to use https instead of http and the redirect is causing the problem? I would be interested in seeing the upload portion of the PHP code.

byrdman
administrator
administrator
Posts: 225
Joined: Thu May 08, 2003 1:59 pm
Location: In the cloud

Post by byrdman » Tue Nov 04, 2008 3:29 pm

Actually, it may have more to do with $_SESSION and $_REQUEST and these two varibles being encyped??

Below is my upload.php code:

I have placed a bold tag on a line below that is returning 'null.' Notice the line right after, which has $file_data=/FTPROOT... if I hard code the content folder the upload works. So my thinking is that something with SESSION is different using SSL because $_REQUEST(contentfolder) is coming back null, therefore not being able to upload. My php_error log that shows that is pasted after the upload.php
PS - not responsible for the WAMP installation - I inherited it!! :oops:
########
upload.php
###########################################

<?php

$errors = array();
$data = "";
$success = "false";

function return_result($success,$errors,$data) {
echo "<?xml version=\"1.0\" encoding=\"utf-8\"?>";
echo "<results><success>".$success."</success>".$data."".echo_errors($errors);
echo "<path>" . $_REQUEST['contentfolder'] . "</path>";
echo "</results>";
}

function echo_errors($errors) {

for($i=0;$i<count($errors);$i++) {
echo "<error>".$errors[$i]."</error>";
}
}

switch($_REQUEST['action']) {

case "upload":

$file_temp = $_FILES['file']['tmp_name'];
$file_name = $_FILES['file']['name'];

//$file_path = $_SERVER['DOCUMENT_ROOT']."/myFileDir";
[b] $file_path = $_REQUEST['contentfolder'];[/b]
//$file_path = "/FTPROOT/Display 3 Content/Clients/Client_Content/MM-Demo/ASSETS";

//checks for duplicate files
if(!file_exists($file_path."/".$file_name)) {

//complete upload
$filestatus = move_uploaded_file($file_temp,$file_path."/".$file_name);

if(!$filestatus) {
$success = "false";
array_push($errors,"Upload failed. Please try again.");
} else {
$success = "true";
}

}
else {
$success = "false";
array_push($errors,"File already exists on server.");
}

break;

default:
$success = "false";
array_push($errors,"No action was requested.");

}

return_result($success,$errors,$data);

?>
#######################################

#######
php_error_log
#######################################
[04-Nov-2008 13:44:06] PHP Warning: move_uploaded_file(null/A_IRA_Accumulation_02.20.08.swf) [<a href='function.move-uploaded-file'>function.move-uploaded-file</a>]: failed to open stream: No such file or directory in C:\wamp\www\mediamanager\upload.php on line 36

[04-Nov-2008 13:44:06] PHP Warning: move_uploaded_file() [<a href='function.move-uploaded-file'>function.move-uploaded-file</a>]: Unable to move 'C:\wamp\tmp\php125.tmp' to 'null/A_IRA_Accumulation_02.20.08.swf' in C:\wamp\www\mediamanager\upload.php on line 36
########################################

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Tue Nov 04, 2008 6:16 pm

Windows? All bets are off. You know the rules. :) I can't imagine why SSL would cause any difference in behavior because that happens at a lower level but I have no idea how this stuff might work (or not work) under Windows. Have you tried running the same code on Linux and get the same results? I am sure you've already googled this to death? I would be interested in seeing how you actually call this script.

byrdman
administrator
administrator
Posts: 225
Joined: Thu May 08, 2003 1:59 pm
Location: In the cloud

Post by byrdman » Wed Nov 05, 2008 8:50 am

believe me when I say, I am embarrassed about the wamp setup. I have only been in this job for 4 weeks but I am pushing for linux in more places then this. If you look at my post in the Fedora/RedHat forum regarding the linux kiosk under the 'Fedora on a USB stick.' That is something I have seen done, and works great but I would have to phase that in and it starts with a proof of concept, that I have not had time to work on because of things like this wamp server I am stuck with for the time being.
But back to my findings from the php uploads...
Everything works perfectly under port 80. The main page sets $_SESSION with the 'contentfolder.' When under port 80, the $_REQUEST returns the correct path. Once I go HTTPS, the $_REQUEST returns 'null.'

I guess my next step is to test it on a linux OS. I don't have the knowledge to understand that this is because of WAMP, but one of my arguments to get them to give me a server to test it on linux, is that I was not happy with using apache, MySQL, and PHP on a windows box when those packages were designed to run on *nix.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Wed Nov 05, 2008 9:28 am

Can you provide a sample of code that calls this script where it works on port 80 and not 443. That is, something I can use to duplicate your problem.

byrdman
administrator
administrator
Posts: 225
Joined: Thu May 08, 2003 1:59 pm
Location: In the cloud

Post by byrdman » Wed Nov 05, 2008 2:31 pm

that may be a problem because I just found out that they use Adobe Flex to upload with php. I can not find the source fla to check when/where it calls upload.php

My goal here at this new company is to migrate a lot of this stuff to linux. I need to test the website on a linux with apache, mysql and php and also create the linux pc kiosk that gets the play lists from a linux web server. The issue right now is we have close to 1000 clients and right now these windows pc's all connect to two win2k3 server that aren't that reliable. We are a managed service provider that does the design and deployment of the content and I can see linux playing a major role here. Just need to convince the higherups.
As of now I am running back on port 80 because everything is working how it was developed to do.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Wed Nov 05, 2008 7:27 pm

If you don't know where the call to the upload.php is in the code how can you be sure it isn't being called on port 80? That's what I was saying before. If the calling code calls the script on port 80 and the script redirects to port 443 all those session vars will get zapped (I would think). You would have to change the calling code to call it either relatively or code it to use https.

For example if it's being called like:
http://yourserver.yourdomain.com/somewhere/upload.php
rather than just:
/somewhere/upload.php
or:
upload.php
then you would have to change it to one of the two latter calls or to this:
https://yourserver.yourdomain.com/somewhere/upload.php
I could be very wrong but I don't believe session vars could survive a redirect. I would have to do some testing on that.

EDIT: I just did a google search and it appears there is a LOT of talk supporting my thought:

Search: php session variables redirect

byrdman
administrator
administrator
Posts: 225
Joined: Thu May 08, 2003 1:59 pm
Location: In the cloud

Post by byrdman » Thu Nov 06, 2008 8:33 am

Well, I mentioned that they were using Adobe Flex to upload files using php. I found this 'mxml' file:

private const _strDomain:String = new String("");
//private const _strUploadScript:String = new String(_strDomain + "MediaManager-NEW/FileUpload/upload.php");
private const _strUploadScript:String = new String(_strDomain + "upload.php");
// Initalize
private function initApp():void {
Security.allowDomain(_strDomain);

I don't know Flex but it looks like it uses _strDomain as the beginning part of the URL? So my guess is that _strDomain would be:
http://192.168.5.2/mysite" + "upload.php"
&
http://myoutside.domain.com/mysite" + "upload.php"

depending on whether or not we are accessing the site or our clients are...
So if they are already redirected by mod_rewrite once they enter the site won't the _strDomain already have https in it?

Another question is if I turn off port 80 on my testing site on my laptop, and only have 443 and no mod_rewrite, that should help me...I think...

BTW...the question was put up to upper mgmt about letting me put linux here and at least test it....we are waiting on the responses...so if I fix the problem here, they might say there is no need. But I would still like to test it and make them believe that apache, MySql and php were not designed for a MS OS, and don't run at their peak when done so.

byrdman
administrator
administrator
Posts: 225
Joined: Thu May 08, 2003 1:59 pm
Location: In the cloud

Post by byrdman » Thu Nov 06, 2008 9:03 am

just as a test, I shut off port 80 on Apache, I commented out the mod_rewrite and only went in through https.
Same error. the $_REQUEST is showing up 'null' in the path. I can not see how it is getting redirected now, so how can the $_SESSION get lost?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Thu Nov 06, 2008 7:27 pm

The only other thing I can think of is deleting your cookies. The only thing I can find where that happens is switching between non-SSL and SSL but not when the session stays on either.

byrdman
administrator
administrator
Posts: 225
Joined: Thu May 08, 2003 1:59 pm
Location: In the cloud

Post by byrdman » Fri Nov 07, 2008 3:19 pm

Thanks for all the help. My next step is putting this site and db on my LINUX laptop and seeing what happens then. I never did take the blame off of MS, just that I was so close to isolating the issue, I did not see how mod_ssl would act that differently.

Please be kind to the guy that inherits what he does not like

byrdman
administrator
administrator
Posts: 225
Joined: Thu May 08, 2003 1:59 pm
Location: In the cloud

Post by byrdman » Mon Nov 10, 2008 10:30 am

I just got approval to start testing on linux so I will let you know how it goes!!!

byrdman
administrator
administrator
Posts: 225
Joined: Thu May 08, 2003 1:59 pm
Location: In the cloud

Post by byrdman » Mon Nov 10, 2008 4:34 pm

Same Exact result. It must be a coding error on his part. Now that I took M$ out of the loop, I am at a complete loss.

byrdman
administrator
administrator
Posts: 225
Joined: Thu May 08, 2003 1:59 pm
Location: In the cloud

Post by byrdman » Tue Nov 11, 2008 12:58 pm

OK, I did find the code that was calling the upload.php:

<mx:Script>
<![CDATA[

import mx.controls.Alert;

private const _strDomain:String = new String("");
private const _strUploadScript:String = new String(_strDomain + "upload.php");
// Initalize
private function initApp():void {
Security.allowDomain(_strDomain);
}

]]>
</mx:Script>

The above is the FLEX web app that calls the upload.php.

The upload location is retrieved successfully from the $_SESSION when done on port 80. the upload location is returned as null when over 443. Normally, this location is stored in MySQL and retrieved from a query based on the client_id that is logged on to our site. Could 443 have any issues when the webserver and the database are on the same server?

Post Reply