[Server-devel] Uploading files to the XS via a simple PHP form

Wed Jun 15 22:31:03 EDT 2011

A long while ago, a teacher contacted me wondering how he could upload files
to the XS.  He had a Mac, so I set him up with an XS login and a dir in
/var/www/html and he used CyberDuck to scp the files.  But what if it had
been a teacher who only had access to one of the school's XP machines?  The
IT policy is so strict you can't install anything.  While a few teachers
might be OK with scping files from an XO, most might not.

Now, I know Moodle handles file uploads, but some folks don't use it.  Or
they might prefer to upload certain things outside of Moodle where Apache
can serve it.

Aside from security concerns, and the vain hope that your users aren't
careless idiots, this is extremely easy to set up.

Obviously, take care if your XS faces the outside world.  On my test XS, I
put upload.html in /var/www/html/clubhouse, which is password protected with
.htaccess.  Seriously, this is all it takes to make the form:

 <form enctype="multipart/form-data" action="../upload.php" method="POST">
 Please choose a file: <input name="uploaded" type="file" /><br />
 <input type="submit" value="Upload" />
 </form>

In /var/www/html, I created upload.php which says where to upload the file
(the target).

<?php
 $target = "deaddrop/";
 $target = $target . basename( $_FILES['uploaded']['name']) ;
 $ok=1;

 {
 if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
 {
 echo "The file ". basename( $_FILES['uploadedfile']['name']). " has been
uploaded";
 }
 else
 {
 echo "Sorry, there was a problem uploading your file.";
 }
 }
 ?>

The last step was to create /var/www/html/deaddrop and set the permissions:

chown -R apache:apache deaddrop

So now all the user needs to do is go to
http://schoolserver/clubhouse/upload.html, enter the login credentials if
you've set that up, upload a file from their local drive, then go to
http://schoolserver/deaddrop to see it listed in the index.

Users can't delete files, of course.  Root needs to log in to take care of
that.  Which means if a careless idiot accidentally uploads, ahem, "home
movies," that will be up there for all to see until someone with root access
can take care of it.

And there's nothing that would keep you from setting up a password protected
"teachers lounge" with individual upload.html files that point to individual
teacher's web directories.

As always, comments, suggestions, and criticism welcome.

Anna Schoolfield
Birmingham
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.laptop.org/pipermail/server-devel/attachments/20110615/f592d546/attachment.htm 