SitePoint Sponsor |
|
User Tag List
Results 1 to 13 of 13
-
May 20, 2003, 13:48 #1
- Join Date
- Apr 2003
- Location
- Montgomery, TX
- Posts
- 59
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Uploading files - Directory Security
Hello all,
I'm allowing logged in users to upload photos to a specific directory. The directory has 777 access rights. How much of a security risk is it to have a directory with 777 rights? I'm worried about someone being able to put something malicious in there.
Thanks for the input.
David
-
May 20, 2003, 14:12 #2
Make sure the files they are uploading are .gif, jpg ... picture extensions... dont let them upload php, asp files etc because with chmod 777 they can execute it and try some things.
Quasar - Web Development - Free Avatars
-
May 20, 2003, 14:21 #3
- Join Date
- Apr 2003
- Location
- Montgomery, TX
- Posts
- 59
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Ramiro,
Thanks for the reply. In my script, I am limiting to .jpg and .gif, but I was worried about people getting access from outside of my script. I guess if a hacker wants to get access, they can do it whether it's 777 or not, correct?
Thanks,
David
-
May 20, 2003, 18:10 #4
- Join Date
- Mar 2003
- Location
- Hamilton, Ontario
- Posts
- 129
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
What you might want to do is have php chmod the folder 777, upload the files, then chmod the folder back to something safe.
-
May 21, 2003, 06:04 #5
- Join Date
- Apr 2003
- Location
- Montgomery, TX
- Posts
- 59
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Liam,
That's a great idea, I'll try that.
-
May 21, 2003, 06:17 #6
- Join Date
- Aug 2001
- Location
- Amsterdam
- Posts
- 788
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
hmm .. I always understood that the folder might be on level 777 but the files you upload standard have a lower level (at least on Linux that is..)
All depending on the security mask...the neigbours (free) WIFI makes it just a little more fun
-
May 21, 2003, 06:22 #7
- Join Date
- Apr 2003
- Location
- Montgomery, TX
- Posts
- 59
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Liam,
I tried to do chmod ("path", 0777);, but I get an error:
"Warning: chmod() [function.chmod]: Operation not permitted in myphpfile.php line 99"
-
May 21, 2003, 06:58 #8
- Join Date
- Aug 2001
- Location
- Amsterdam
- Posts
- 788
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Originally Posted by dkroll
In Linux your php daemon isn't always the same (nor in the same group) as the ftp daemon ...
This is why if you have a script do actions on files and dirs the rights have to be set at 777 or the folder needs to be created using the php-daemon
complex... lets i.e.
i logged on to the server using ftp and created folder x this makes the user running ftp the owner of the folder ...
If I have php and let that create a folder y then the daemon running php will be the owner for folder y and I won't be able to control the properties nor delete it using ftp...
wanna set the chmod using ftp functions??
PHP Code:// set up basic connection
$conn_id = ftp_connect($ftpadres);
// login with username and password
$login_result = ftp_login($conn_id, $ftplogin, $ftppassword);
// php(ftp) command for chmod
ftp_site($conn_id, "chmod 777 $target");
the neigbours (free) WIFI makes it just a little more fun
-
May 21, 2003, 07:14 #9
- Join Date
- Apr 2003
- Location
- Montgomery, TX
- Posts
- 59
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I deleted the directory and did a mkdir using PHP. Then I uploaded a file to that directory, but I can't delete it in FTP, I assume that I'll have to use PHP to delete the file now. I wonder if the FTP route you described would be easier.
-
May 21, 2003, 07:51 #10
- Join Date
- Aug 2001
- Location
- Amsterdam
- Posts
- 788
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Originally Posted by dkroll
The reason why is that I didn't wanna use a filemanager in PHP ..
And since PHP can do FTP and otherway around isn't possible I decided to go for the FTP option...
Hey sometimes live is just not perfectthe neigbours (free) WIFI makes it just a little more fun
-
May 21, 2003, 07:55 #11
- Join Date
- Apr 2003
- Location
- Montgomery, TX
- Posts
- 59
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
But then I have to upload the file through ftp and delete it through ftp, correct?
-
May 22, 2003, 02:16 #12
- Join Date
- Aug 2001
- Location
- Amsterdam
- Posts
- 788
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
No not correct ... I use PHP all the time to upload and delete files... But thats the way my system works ... the php daemon has more rights than the ftp user ...
Get in contact with your host to figure this out or just try...the neigbours (free) WIFI makes it just a little more fun
-
May 22, 2003, 06:01 #13
- Join Date
- Apr 2003
- Location
- Montgomery, TX
- Posts
- 59
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I haven't tried to delete with php yet, but I did get my upload script working with ftp, it works quite well.
Bookmarks