RE: [PHP] upload security
[snip] I have a question concerning security of my file upload script. I'm using the php upload routines (move_uploaded_file,...) and variables ($_FILES) to upload images to a webdirectory. Everything works fine, meaning that I can upload images BUT only if I change the permission of the directory to which the uploaded images are moved to 777. I guess that this is not such a good thing from security point of view. So here are some questions I have: [/snip] You should be relatively safe, and you can probably lower the permissions to 766 (world-writable drwxrw-rw-) and still be able to upload. Also, check the owner and group of the file, should be something like nobody nogroup or nobosy nobody. Your web server should be operating as nobody which also increases security as nobody can really do too much if set up properly. Your web host is familiar with all of these issues, so you should be OK. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] upload security
I have a question concerning security of my file upload script. I'm using the php upload routines (move_uploaded_file,...) and variables ($_FILES) to upload images to a webdirectory. Everything works fine, meaning that I can upload images BUT only if I change the permission of the directory to which the uploaded images are moved to 777. I guess that this is not such a good thing from security point of view. So here are some questions I have: 1) is this really that dangerous? How could this be exploited by an attacker? 2)using chmod in my php script (to switch back and forth between 700 and 777) is not an option since I'm on a virtual host and PHP is in safe mode 3)creating a directory which is not reachable by webbrowser does not seem to be possible either since outside my webdirectory; everything is root-owned and obviously only my ISP has root permission ;-) 4)I know that changing to ftp functions might solve this problem but I want to do image resize operations on the uploaded image afterwards anyway so I would prefer solutions allowing the creation of safe directories or something similar 5)Any hints and or tips on making safe file upload applications in php are welcome; -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php