if it only works with 777 that means your upload script is running as a different user than the user that owns the directory. when php is run as an apache module it generally runs as a generic apache user, and the files are probably owned by your user. if you're in a shared hosting environment there's probably nothing you can do about it unless you have the option of running php as cgi, in which case the script runs as your user and you can drop the write permission for group and everyone (so 755).

Yes the Server is a shared Server.

Also, the Upload.php isn't just for the Admin to upload, it is available for all users to upload.

My only concern is hacking through the 777 since it allows all users read/write/exec ute and I am allowing uploading of files.

I only allow the file extensions .jpg, .gif, .png through my upload.php. So I think it will be fine, but I just want an Advance PHP coders opinion.

Thanks.
-David1159

what i would consider a security concern is that the other users on your same shared server may be able to add/change/dele te files in that directory. do they allow shell access (telnet or ssh)? if not, then you should be fine as ftp is generally locked down to the user directory and anything underneath.

beyond that the only way to add a file is through your upload script, so you just need to make sure that script limits the size and type of files that can be uploaded. note that if you're determining the file type by $_FILES[]['typ e'] or by the uploaded filename those both come from the client and can be faked. if you only accept images, use getimagesize() on the uploaded file and make sure that index 2 of the array that returns is what you want. for other file types you'd need to do your own checking to ensure that the pdf file somebody uploaded isn't just a renamed mp3.

for size limits that's pretty straightforward , and also php has its own upload size limit, somewhere around 8 meg normally.

Cool, thank you.

The directory for all images will be locked in .htaccess that only members of my sql table logged in can access the directory.