Hello There, Guest! (LoginRegister)
This forum uses cookies
This forum makes use of cookies to store your login information if you are registered, and your last visit if you are not. Cookies are small text documents stored on your computer; the cookies set by this forum can only be used on this website and pose no security risk. Cookies on this forum also track the specific topics you have read and when you last read them. Please confirm whether you accept or reject these cookies being set.

A cookie will be stored in your browser regardless of choice to prevent you being asked this question again. You will be able to change your cookie settings at any time using the link in the footer.

Latest Releases: Plugin Uploader - Cookie Law - Karma Stars

Latest Updates: Karma Stars 1.0

Follow @mattrmybbmods on Twitter for info on releases and updates

Not Solved [Information] FTP login details for plugin uploader

15-06-2011, 06:51 AM (This post was last modified: 26-06-2011 08:35 AM by MattRogowski.)
Post: #1
Not Solved FTP login details for plugin uploader
The latest version of the plugin uploader includes support for uploading files for plugins via FTP. As there will be various questions and concerns about this I will try and explain everything here.

You do not necessarily have to give your FTP details to the plugin uploader. When moving files, the plugin uploader will try and use standard PHP functions to move the files to their destinations. However, on some servers, PHP will not have permission to do this due to file ownerships, so it will then attempt to move the files via FTP. You may have had to give your FTP details in WordPress for automatic updates or plugin/theme installations/updates; this is a similar sort of thing. If you could upload plugins fine using previous versions, and/or you do not see a message on the plugin uploader page about requiring an FTP connection, then your server will be able to move the files with standard PHP functions, and you will not need to give any FTP details.

This is the process taken to try and copy a file:
  • copy()
  • rename()
  • fopen()
    • file_get_contents()
      • file_put_contents()/fwrite()

  • ftp_connect() (entering FTP mode)
    • ftp_rename()
    • ftp_chmod() (change CHMOD of parent folder via FTP)
      • ftp_rename() (called again after CHMODing parent folder)
        • ftp_chmod() (undo CHMOD of parent folder)
      • copy() (called again after CHMODing parent folder)
        • ftp_chmod() (undo CHMOD of parent folder)
      • rename() (called again after CHMODing parent folder)
        • ftp_chmod() (undo CHMOD of parent folder)
      • fopen() (called again after CHMODing parent folder)
        • file_get_contents()
          • file_put_contents()/fwrite()
            • ftp_chmod() (undo CHMOD of parent folder)

As you can see, it tries different ways of copying the file before resorting to FTP (although if the first copy() call fails it's likely FTP will be needed anyway), and may have to CHMOD the parent folder to be able to move the file. The only alternative to connecting via FTP is to CHMOD all the folders in your file system to 777; PHP won't be able to change the CHMOD to 777 and then change it back after copying the file, as if it doesn't have permission to copy a file to a folder, it won't have permission to change the CHMOD of that folder.

Your FTP details must be hardcoded into the plugin uploader plugin file, in a similar way to your database details being stored in your config.php file. This is because they cannot be stored in your database; I cannot pass encrypted login details to the FTP connection function, which would mean your FTP details would need to be stored unencrypted in your database, which isn't something I'm going to do. If they were to be stored unencrypted in the database, anybody who gained unauthorized access to your database would be able to see them and connect to your FTP server, whereas if the details are stored in a file, somebody would already need access to your file system to be able to see it, thus they wouldn't need the details anyway. The login details are stored as private variables in the PluginUploader class, which means they can only be accessed by the PluginUploader class itself, and not by any classes that extend that class. It's not the most ideal place to have to put them but it's the most secure place I can store them. It's either a case of storing them in the file, or having to enter them every time you upload a plugin.

Ultimately this change just means more people will be able to use the plugin uploader who couldn't before. If you have any questions, comments or concerns about this new feature, feel free to raise them by making a thread in this forum.

Download My Plugins
My Personal Site - Twitter - Facebook
MyBB Support Team Lead.

Forum Jump:

User(s) browsing this thread: 1 Guest(s)