SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Zealot Scout141's Avatar
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    137
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP Upload & Security

    I was wondering if it makes a difference, security-wise, if I put the directory where files are uploaded to (through a php script) outside of the public_html folder on my server?

    ie: php page: /server/home/public_html/upload/upload.php (accessed using: http://www.sitename/upload/upload.php)

    and the file gets dumped into: /server/home/uploads/new (cannot be accessed by web browser)

    It seems to me like it would be harder to get at it if it could not be served up in a browser... but, I'm a bit of a neophyte as far as php and security are concerned

    TIA

  2. #2
    if($awake){code();} PHP John's Avatar
    Join Date
    Jul 2002
    Location
    Along the Wasatch Fault line.
    Posts
    1,771
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Actually, it is my understanding that placing such a folder above or to the side (relatively speaking) is a good security measure. The script should have no problems accessing them as long as the permissions are set properly.
    John

  3. #3
    "Of" != "Have" bronze trophy Jeff Lange's Avatar
    Join Date
    Jan 2003
    Location
    Calgary, Canada
    Posts
    2,063
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes it is a good security measure.
    Who walks the stairs without a care
    It shoots so high in the sky.
    Bounce up and down just like a clown.
    Everyone knows its Slinky.

  4. #4
    Free your mind Toly's Avatar
    Join Date
    Sep 2001
    Location
    Panama
    Posts
    2,181
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you leave your images folder inside the public_html folder, there's a way to avoid images to be displayed alone by setting a command on an .htaccess file.

    http://www.javascriptkit.com/howto/htaccess11.shtml
    Community Guidelines | Community FAQ

    "He that is kind is free, though he is a slave;
    he that is evil is a slave, though he be a king." - St. Augustine

  5. #5
    "Of" != "Have" bronze trophy Jeff Lange's Avatar
    Join Date
    Jan 2003
    Location
    Calgary, Canada
    Posts
    2,063
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yes, but if a user knows where the directory is, and is "intelligent" he can do damage, because the permissions on that directory have to be set to allow writing.

    Mind you, this isn't always a security risk, if it is setup right, but I'd say if you were especially selling a script, make the directory user-selectable, and always access the files through a script.
    Who walks the stairs without a care
    It shoots so high in the sky.
    Bounce up and down just like a clown.
    Everyone knows its Slinky.

  6. #6
    SitePoint Zealot Scout141's Avatar
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    137
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Cool. I was hoping that would be the answer

    I was a little concerned about leaving an open directory on the web server. It seemed like it just invited people to try and mess around on the server


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •