Portal Home > Knowledgebase > Articles Database > PHP: Make a zip file on the fly
PHP: Make a zip file on the fly
| Posted by krissauquillo, 05-17-2009, 02:28 PM |
| Does anyone know how I would be able to make a script where a user can check of checkboxes on a list of files. Then when the user clicks the download button the site would zip all the checked files direct the user to download it right after.
I've read up on PHP's zip functions, but I'm still rather lost.
|
| Posted by xphoid, 05-17-2009, 09:29 PM |
| There's a really good zip creation class here: http://forums.devnetwork.net/viewtopic.php?f=29&t=29027
I had problems creating an archive with the Zip extension in PHP, and that class worked great as a replacement.
Keep in mind either one will use a fair amount of memory.
|
| Posted by yangyang2036, 05-18-2009, 05:39 AM |
| Run a shell command with PHP:
exec('tar zcf files.tar.gz file1 file2 file3');
You can also zip it.
Last edited by yangyang2036; 05-18-2009 at 05:44 AM.
|
| Posted by mwatkins, 05-18-2009, 04:03 PM |
| Short of writing it for you, I'm not sure what we can do here as we can't tell if your issue is very specific to the ZipArchive class, compiling in support for it (--enable-zip), general use of PECL, some third party class, or is the problem more broadly one of 'howto'. Maybe if you point out specific areas that you are stuck on we can give you a leg up then.
Some broad advice: If stuck, consider stop writing code and write some higher level pseudo-code that describes more generally what needs to happen. Think of it like an outline.
I'm going to post here as my pseudo-code some working Python code which goes most of the way there. Running it will produce a zip file with some contents - the comments at the end outline what's still required to get a user downloading the newly created zip. Rip out the "fake_files" function and you can see what's left isn't very long.
Run it a couple of times and you'll have output similar to:
|
| Posted by fwaggle, 05-18-2009, 04:19 PM |
Don't do this. Either of them.
Unless you put an element on the resulting page saying "please hack me", then I suppose you can get away with it. You'll spend more effort putting checks and fail-safes on this to prevent someone exploiting it than you would just doing it correctly in the first place.
|
| Posted by tim2718281, 05-18-2009, 06:19 PM |
| I am having trouble understanding why a server zipping a bunch of its files into one for the user to download would enable anyone to exploit anything.
|
| Posted by mwatkins, 05-18-2009, 07:54 PM |
| Any call to exec, system, popen and so on is potentially a significant vulnerability merely because of the heighten risk of either exposing a latent vulnerability or introducing through local code (and bad practice) a new vulnerability. The issues involved are at a much broader level than just this one lowly script, or even PHP itself.
The sorts of problems introduced could be anything from inserting dangerous shell commands (this script will be selecting multiple filenames so this is conceivable - how about a `rm -rf .`?) to offering the potential to take over the web server. For but one lowly example of the latter look at http://bugs.php.net/bug.php?id=38915 which was first reported in 2006.
One can't strongly enough recommend the person coding the solution need be aware of the nature of the risks. Often times an application programmer has a weaker understanding of OS / system level issues, so if we are walking on OS/system boundaries, one had better be sure of themselves, or code around it if not.
Developers tend to be more aware these days of the risks of unfiltered input being used by persons with malicious intent - a common exploitation of exec() calls which have plagued many PHP (and other) applications. But how many developers are aware that their choice of implementation, which seems innocuous at the time, might allow an attacker to shut down Apache and more through inherited file descriptors?
Last edited by mwatkins; 05-18-2009 at 08:03 PM.
Reason: Added links to some examples... squirrelmail, phpBB, phpmyadmin...
|
| Posted by tim2718281, 05-19-2009, 03:17 AM |
| I think I need more explanation.
The OP said there will be a series of checkboxes, one for each file. The user ticks the checkboxes for the files they want; the files are then to be zipped into a single file for download.
For the sake of illustration, let's suppose there are three checkboxes, and the three files are called "file1", "file2", "file3".
The server script will be something like this:
outputfile = "uniquetempfilename"
filelist = ""
if checkbox1 then filelist = filelist "file1"
if checkbox2 then filelist = filelist "file2"
if checkbox3 then filelist = filelist "file3"
if filelist (has someentries)
then exec zipprogram outputfile filelist
I really thought the user of that web page would be unable to do anything the programmer did not want them doing.
|
| Posted by mwatkins, 05-19-2009, 03:54 PM |
| I would never say that you *can't* write safe code that calls exec, only that it is *exceedingly easy* to write unsafe code that launches other processes. If no user-provided input is being submitted as arguments, that's an excellent start.
But we are not mind-readers and can't just assume someone asking for help will connect all the proper dots together and do the right thing if the advice they get amounts to "just use exec() to run zip".
|
| Posted by fwaggle, 05-19-2009, 08:36 PM |
| I agree, completely. Given the amounts of times exec()/execve() and other related functions are used in Operating Systems it's obvious they're not an immediate deathtrap - but as you said it's pretty easy to write unsafe code using exec().
Furthermore if someone doesn't know how to zip something inside PHP, they probably don't understand all the ramifications of using exec(), ergo just pointing them to exec() probably isn't the greatest idea... hence my reply.
Someone inexperienced enough to not be able to figure out how to use the zip modules to create a zip file, then choosing to use exec(), is a loaded gun just waiting for a foot to be pointed at.
|
| Posted by JayX, 05-20-2009, 06:31 AM |
Here's a little script I wrote for private use (hence there was no real thought to security, so should probably be reviewed if used in public). A single file using the PCLZIP library that's easily found.
I suck at php and it's not exactly the same as what you're requesting, but similar. It has exec use in it, but not for an element that you would need to copy across for your script, so that can be safely removed. There's also a cracking use of a double
that truly is a crime against design!
(It's function was a user could enter a URL to a file, the script would then zip it up for download off a trusted server. Not useful to many people, but it had a purpose I swear!)
|
| Posted by alfyles, 05-30-2009, 04:15 PM |
| Don't use exec unless there is no other way to do it. Using exec is like using a samurai to cut a chicken for dinner. PHP provides zip functions. I used the following:
|
| Posted by mwatkins, 06-09-2009, 02:15 PM |
| For a really good example of the harm "exec" can cause (or taking user supplied input at face value, no matter how the system call is made) one only need read the 100+ pages of the following WHT threads:
* Vaserve / a2b2 / fsckvps and others hacked, 1000's affected
* HyperVM Owner Kills Self
|
| Posted by tim2718281, 06-09-2009, 02:57 PM |
| I found this list of security bugs in LxAdmin
http://securityreason.com/wlb_show/WLB-2009060016
|
| Posted by mutu26, 07-29-2009, 08:19 AM |
| Some days ago I heard
|
| Posted by SsZERO, 08-11-2009, 09:43 AM |
| Excessive and pointless alarmism is fun. You obviously don't know much about coding because your post is long-winded and it seems like a menagerie of cut-n-pastes that beg for attention more than anything else.
There is nothing wrong with using exec() in a script as long as you are sanitizing the data being passed along to it. If you are not sanitizing all user input, then your code is full of holes regardless of the functions you opt to use. In many instances using exec() or system() result in faster performance.
If you are not passing an undeclared variable to either function, there is not much risk. If you do need to pass a variable to exec(), you would declare it and use escapeshellarg() to prevent "extra" stuff from being added in.
Do the internet a favor and don't speak unless you really know what you are talking about.
To the OP, using exec() is probably the most efficient solution to your problem and it gives you tighter control over the zip files that are produced. I use as similar function for managing RAR files dynamically. I just use the command line version of RAR for Linux.
|
Add to Favourites 
Print this Article
Also Read
