views:

209

answers:

5

What is the best practice when it comes to image upload using PHP? How should I handle the chmod settings?

Example;

I have a dir called /image/ where i want to upload all my images.

Should I set this dir to chmod 777 and leave it like that? Or should i change chmod on that folder via PHP each time I need to upload a image. What is best practice, whats teh pro and cons?

Thanks!

+1  A: 

Only the user running the web server dameon needs permissions to the directory for writing. And you certainly don't want execute permissions on a directory users are uploading to.

rerun
I assumed you were using php for a web site if its scripting pay this no heed.
rerun
+1  A: 

Usually, folder settings are set once and that's it. It's rather pointless to keep setting the folder permissions to 777 via PHP, when you have already set it to 777.

thephpdeveloper
so there is no harm in having the chmod set to 777 for a dir? (this goes for all answers bellow)
jamietelin
I also upload images via ftp sometimes, will not the "owner" be different than when i upload via php?
jamietelin
The owner will be who logs into the FTP session.
rerun
+1  A: 

No, you dont have to change the permissions on the directory each time. Once set, they are set so to speak.

Using 777 is overkill since it gives full permissions to everyone. Remove the 'x' bit and let apache (or whoever) own the directory. This makes it impossible to list files.

Martin Wickman
+1  A: 

I recomend chmoding to 755

DCC
+2  A: 

As thephpdeveloper mentioned, setting chmod once is enough. All subsequent writes into that directory will not change the directory permissions unless you explicitly chmod it to another permissions somewhere else.

The recommended permissions for directories on a *nix server is 755. Setting permissions to 777 is not recommended. As mentioned by wic, it gives full permissions to everyone that have access to your server. Which makes it vulnerable if you are on shared hosting or sharing the server with other users.

Also to note is how PHP is run on your server. In fact, if you are running PHP as cgi, example suphp, permissions of 777 for directories are not allowed. Having 777 permissions on the directories your scripts reside in will not run and will instead cause a "500 internal server error" when attempting to execute them.

girlygeek