Search
Left Quote    By failing to prepare, you are preparing to fail.
- Benjamin Franklin    
Right Quote
 
[login] | [Register]
Forum Index » PHP and mySQL » Viewing Topic and Replies
Post Reply


        Viewing Topic: folder permissions and security
  This user is offline  David1159
  Subject: "folder permissions and security" Posted: @ 5:02 am on Jan 29 2008   

Member #: 526
Rank: User - (81)
Since: 12/27/07
Posts: 81
From: usa

I am concerned a lot about this. I have been studying up on folder permissions 755, 777, 666, etc.

I implemented the Image Uploader script here (modded it a ton though, multiple [10] images uploads at the same time and they all can be sent to different folders for organization.)< br />
Anyways.

The only way I can get images to stream is by 777 folder permission of the galleries directory. But 777 has huge security risks.

I currently see no other way around this other than 777.

Now am I protected via AllSyntax Image Uploading script only allowing .jpg and .png files? Any other uploaded file sends it to a Error, not allowed file type.

I really hope I explained this clearly, thank you for your time.


Coding is simply CST... Combining $hit Together. We make different $hit to run in unison correctly.
    Viewed: 6,982 Times | Reply to This | To top
  This user is offline  misterhaan
  Subject: "re: folder permissions and security" Posted: @ 4:02 pm on Jan 29 2008    

Member #: 5
Rank: User - (213)
Since: 02/11/05
Posts: 148
From: chair

if it only works with 777 that means your upload script is running as a different user than the user that owns the directory. when php is run as an apache module it generally runs as a generic apache user, and the files are probably owned by your user. if you're in a shared hosting environment there's probably nothing you can do about it unless you have the option of running php as cgi, in which case the script runs as your user and you can drop the write permission for group and everyone (so 755).




please note that the above post is likely made up in its entirety.

    Viewed: 6,968 Times | Reply to This | To top
  This user is offline  David1159
  Subject: "re: folder permissions and security" Posted: @ 9:44 pm on Jan 29 2008    

Member #: 526
Rank: User - (81)
Since: 12/27/07
Posts: 81
From: usa

Yes the Server is a shared Server.

Also, the Upload.php isn't just for the Admin to upload, it is available for all users to upload.

My only concern is hacking through the 777 since it allows all users read/write/exec ute and I am allowing uploading of files.

I only allow the file extensions .jpg, .gif, .png through my upload.php. So I think it will be fine, but I just want an Advance PHP coders opinion.

Thanks.
-David1159




Coding is simply CST... Combining $hit Together. We make different $hit to run in unison correctly.

    Viewed: 6,963 Times | Reply to This | To top
  This user is offline  misterhaan
  Subject: "re: folder permissions and security" Posted: @ 7:07 pm on Jan 30 2008    

Member #: 5
Rank: User - (213)
Since: 02/11/05
Posts: 148
From: chair

what i would consider a security concern is that the other users on your same shared server may be able to add/change/dele te files in that directory. do they allow shell access (telnet or ssh)? if not, then you should be fine as ftp is generally locked down to the user directory and anything underneath.

beyond that the only way to add a file is through your upload script, so you just need to make sure that script limits the size and type of files that can be uploaded. note that if you're determining the file type by $_FILES[]['typ e'] or by the uploaded filename those both come from the client and can be faked. if you only accept images, use getimagesize() on the uploaded file and make sure that index 2 of the array that returns is what you want. for other file types you'd need to do your own checking to ensure that the pdf file somebody uploaded isn't just a renamed mp3.

for size limits that's pretty straightforward , and also php has its own upload size limit, somewhere around 8 meg normally.




please note that the above post is likely made up in its entirety.

    Viewed: 6,941 Times | Reply to This | To top
  This user is offline  David1159
  Subject: "re: folder permissions and security" Posted: @ 10:51 pm on Jan 30 2008    

Member #: 526
Rank: User - (81)
Since: 12/27/07
Posts: 81
From: usa

Cool, thank you.

The directory for all images will be locked in .htaccess that only members of my sql table logged in can access the directory.





Coding is simply CST... Combining $hit Together. We make different $hit to run in unison correctly.

    Viewed: 6,935 Times | Reply to This | To top
Viewing Page: 1 of 1


1 |

You must be logged in to post on the forums. Login or Register








"AllSyntax.com" Copyright © 2002-2018; All rights lefted, all lefts righted.
Privacy Policy  |  Internet Rank