I have a question concerning security of my file upload script. I'm using
the php upload routines (move_uploaded_file,...) and variables ($_FILES) to
upload images to a webdirectory. Everything works fine, meaning that I can
upload images BUT only if I change the permission of the directory to which
the uploaded images are moved to 777. I guess that this is not such a good
thing from security point of view. So here are some questions I have:
1) is this really that dangerous? How could this be exploited by an
attacker?
2)using chmod in my php script (to switch back and forth between 700 and
777) is not an option since I'm on a virtual host and PHP is in safe mode
3)creating a directory which is not reachable by webbrowser does not seem to
be possible either since outside my webdirectory; everything is root-owned
and obviously only my ISP has root permission ;-)
4)I know that changing to ftp functions might solve this problem but I want
to do image resize operations on the uploaded image afterwards anyway so I
would prefer solutions allowing the creation of safe directories or
something similar
5)Any hints and or tips on making safe file upload applications in php are
welcome;

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to