No announcement yet.

Upload .php documents for an account?

  • Filter
  • Time
  • Show
Clear All
new posts

  • Upload .php documents for an account?

    I have a couple of .PHP files that I use with a client and what to save them as documents in their EspoCRM entry. But it won't let me... give me an "Error 403: Access denied. Not allowed file type" message

    Is there a way to allow .php as document types.

    (Yes, I can save them as .txt files but would rather not if possible.)

  • #2
    I got an email about the reply:
    item has made a new post under
    Upload .php documents for an account?

    The discussion is located at:

    Here is a preview (may be truncated):
    at your risk and certainly very bad.

    just add .php to

    All the best,
    EspoCRM Open Source Community Forum

    When I go to the link I get:

    Sorry, you are not authorized to view this page. For assistance contact the site administrator.​


    • #3
      Administration > Entity Manager > Document > Fields > File. Add ".php" in the Accept field.


      • #4
        Thank you.

        Why is putting .php code in an attached document a bad practice?

        Is there a way that .php code in an attached document could be executed in EspoCRM? Would re-naming the .php file to .txt make it any safer? Should I make it a Word file?

        Should I encrypt it with one of the many utilities out there (or one you might suggest?)

        How do you suggest that I save some code used for a client (we make websites and like to save a lot of 'stuff' about a client's site, especially specialized code... just in case the site gets 'bricked' or deleted, etc.)

        It is not a big deal... we don't have to do this ... and very rarely ever is just sometimes convenient for us..


        • #5
          Nothing wrong with uploading PHP files, despite "security specialists" will say opposite. It's to mitigate risk if there would be a security vulnerability allowing to include and execute an uploaded PHP file. But it's unlikely to happen with Espo.


          • yuri
            yuri commented
            Editing a comment
            Considering, files are stored w/o extension, uploading PHP does not differ from uploading any TXT file. But a lot of security specialist would not admit it. It's more the question of proficiency of such security specialists.

        • #6
          Thanks for the info.

          As I say most WordPress sites we do need a lot of additional CSS but usually don't require any extra .php code from us.

          But those sites that use the WooCommerce e-com plugin often need a ton of additional code snippets since the plugin is basically 'bare bones.'

          We don't know of any database application that is safer (or more secure) than EspoCRM to store client info stuff in.

          Also 100% of the .php code we store changes the look (cosmetic) of the shopping cart, not the functionality of it.

          For example on the Cart screen, Woo defaults to the word "Product" as the column heading of the items to be bought.

          However clients who sell books don't want to see "product' as the heading, they want to see "Books" and that can only be done by 10+ lines of .php.

          That kind of code is hardly a 'security threat' if it was executed by a bad-actor who somehow hacked into our server-instance of EspoCRM.

          Thanks again.


          • #7
            Thank you all for the explanations. In this context I have another question: How secure are personal data of clients, e.g. in contacts or accounts. Would it be possible to hack those data out of espoCRM? Of course I mean by an easy way.


            • #8
              > Would it be possible to hack

              There's no simple answer on such a question.


              • yuri
                yuri commented
                Editing a comment
                * Use 2FA.
                * Don't use an admin user for daily work.
                * Log out when leave your PC.

                It will mitigate the risk.