-3

I have searched through the community and found that adding :

  $cmd = 'file --brief --mime ' . @escapeshellarg($file['tmp_name']) .

might solve the issue but it has not.

I am trying to upload a file in Codeginter PHP.

I have developed an application that works fine on my local machine, I was able to upload files but then I moved it to live server.

Now I am getting an error :

A PHP Error was encountered

Severity: Warning

Message: escapeshellarg() has been disabled for security reasons

Filename: libraries/Upload.php

Line Number: 1039

A PHP Error was encountered

Severity: Warning

Message: Cannot modify header information - headers already sent by (output started at /home/primeasp/public_html/bizlnps_prov/system/core/Exceptions.php:186)

Filename: helpers/url_helper.php

Line Number: 543

But it has not so I have posted here.

Why am I getting this error? And how will i be able to solve it?

Code:

function do_upload()
{
    $config['upload_path'] = './uploads/';
    $config['allowed_types'] = '*';

    $this->load->library('upload', $config);
    $this->upload->initialize($config);


    if ( ! $this->upload->do_upload())
    {
        $error = array('error' => $this->upload->display_errors());

        $this->load->view('customer/upload/upload_ini', $error);
    }
    else
    {

        $data = array('upload_data' => $this->upload->data());

        $id = $this->session->userdata('id');

        foreach ($data as  $row) 
        {
            $file_name = $row['file_name'];
            $file_path = $row['file_path'];

        }

        $site = $this->session->userdata('site');
             $insert_data = array(
                'customer_id' => $id,
                'base_ini_filename' => $file_name,
                'file_path'=>$file_path,
                'site_key'=>$site
                 );

            $this->db->insert('base_ini', $insert_data);

            redirect('customer/upload_ini/index');

            $this->data['subview'] = 'customer/upload/upload_success';
            $this->load->view('customer/_layout_main', $this->data);
    }
Rajan
  • 2,427
  • 10
  • 51
  • 111
  • 5
    Possible duplicate of [escapeshellarg() has been disabled for security reasons](http://stackoverflow.com/questions/10384336/escapeshellarg-has-been-disabled-for-security-reasons) – Tomasz Mar 22 '16 at 07:10
  • @TomaszTurkowski i have mentioned in my question that i have reffered to that questiong but it has not helped me so i have posted it again – Rajan Mar 22 '16 at 07:11
  • That what you copy-paste won't help you. Check second answer from Waqleh in that link. Basically function escapeshellarg is disabled on your server. – Tomasz Mar 22 '16 at 07:13
  • Possible duplicate of [Warning: exec() has been disabled for security reasons](http://stackoverflow.com/questions/11711675/warning-exec-has-been-disabled-for-security-reasons) (Different function, same issue.) – Alexander O'Mara Mar 22 '16 at 07:14
  • 2
    In short, `escapeshellarg` is in your server's `disable_functions` list. IDK why this exact function is disabled, the server admin probably doesn't realize it can't do much by itself, but I suspect you will find `exec`, `shell_exec`, etc on the list also. – Alexander O'Mara Mar 22 '16 at 07:16
  • The `@` symbol just silences the warning it doesn't actually fix the problem. The problem is that the administrator of you live server has disabled running shell commands. My guess is you are using shared hosting where you can't run commands for security reasons. If you want to do that, you will need to run your own server. – Chris Mar 22 '16 at 07:16
  • @TomaszTurkowski i followed his answer did as he said but still i am getting the error, and for .ini file i dont have access to that file – Rajan Mar 22 '16 at 07:17
  • Then your host evidently does not want you to be able to use this function, or to change "security" settings. – Alexander O'Mara Mar 22 '16 at 07:18
  • @Rajan then you are not able to use that function and you need to do workaround which is also explained in that post. – Tomasz Mar 22 '16 at 07:19
  • @TomaszTurkowski i am just trying to do simple upload, i am upload csv files and that work fine why not this – Rajan Mar 22 '16 at 09:00
  • @AlexanderO'Mara what should i do in this case, i dont want to change the security setting all i want to do is upload a file to the server – Rajan Mar 22 '16 at 09:01
  • If this is the only disabled function you need, you can reimplement it. See Hanky Panky's answer. – Alexander O'Mara Mar 22 '16 at 16:03

2 Answers2

2

The host has disabled the escapeshellarg function. Using @ in front of a function suppresses an error, it doesn't mean the function will actually work after adding it.

Either find a host that will allow this function or purchase dedicated resources such as a VPS / Dedicated server where you can install your own version of PHP and chose the functions that you wish to enable.

Matt
  • 2,851
  • 1
  • 13
  • 27
  • And why can't they use a 3rd option of doing what that function does for them? That function has no rocket science – Hanky Panky Mar 22 '16 at 08:45
0

escapeshellarg() adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument.

That's simple enough to do yourself since its blocked on your host.

$cmd = "file --brief --mime '" . str_replace("'","\'",$file['tmp_name']). "'";

Fiddle

Hanky Panky
  • 46,730
  • 8
  • 72
  • 95