开发者

custom php.ini file in subfolder causing issues with $_SESSIONS variables

开发者 https://www.devze.com 2023-02-22 03:27 出处:网络
I have a sub-folder with two files. The first is email.php, with a form that user can send me an email. It also has a captcha-like script to prevent spam, and uses $_SESSION[foo] variables. The second

I have a sub-folder with two files. The first is email.php, with a form that user can send me an email. It also has a captcha-like script to prevent spam, and uses $_SESSION[foo] variables. The second is upload.php, which allows registered users to upload files. Both files worked fine. Now I need to increase the upload_max_filesize from the base 2MB for upload.php. My host does not provide access to main php.ini, but recommend that I create a custom php.ini file in this subfolder. So I created:

php.ini

upload_max_filesize = 10M ;
post_max_size = 10M ;

I now get the errors Warning: include() [function.include]: Filename cannot be empty and Warning: include() [function.include]: Failed opening '' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') when I submit the form/captcha on email.php.

$_SESSION[foo]=$_GET[bar]; 
else  $_SESSION[foo]="foobar.php";
include($_SESSION['foo']); 

I found that $_SESSION[foo] is empty even with the else. After some research I found that when I ran phpinfo() that session.save_path was no value (the orig开发者_开发问答inal was /tmp). So now

php.ini

upload_max_filesize = 10M ;
post_max_size = 10M ;
session.save_path = /home/foobar/tmp ;

But I am still getting the error. If I remove the php.ini file from this folder, then the form script on email.php works just fine, but I am back to upload_max_filesize = 2MB for upload.php. Any help would be appreciated.


This is an issue with CGI PHP setups where the server php.ini directives do not cascade into custom configurations.

I've written about this extensively here - http://blog.philipbrown.id.au/2009/08/php-suexec-and-custom-php-ini-files/


$_SESSION[foo]=$_GET[bar]; else $_SESSION[foo]="foobar.php"; include($_SESSION['foo']);

I'm a bit confused by this snippet. Not only is it invalid (no if statement, array indexes not quoted) but highly insecure.

0

精彩评论

暂无评论...
验证码 换一张
取 消