I have a question concerning security of my file upload script. I'm using the php upload routines (move_uploaded_file,...) and variables ($_FILES) to upload images to a webdirectory. Everything works fine, meaning that I can upload images BUT only if I change the permission of the directory to which the uploaded images are moved to 777. I guess that this is not such a good thing from security point of view. So here are some questions I have: 1) is this really that dangerous? How could this be exploited by an attacker? 2)using chmod in my php script (to switch back and forth between 700 and 777) is not an option since I'm on a virtual host and PHP is in safe mode 3)creating a directory which is not reachable by webbrowser does not seem to be possible either since outside my webdirectory; everything is root-owned and obviously only my ISP has root permission ;-) 4)I know that changing to ftp functions might solve this problem but I want to do image resize operations on the uploaded image afterwards anyway so I would prefer solutions allowing the creation of safe directories or something similar 5)Any hints and or tips on making safe file upload applications in php are welcome;
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
