tags:

views:

51

answers:

2
+2  Q: 

Giving upload folder these permissions safe or not?

I have a classifieds website with a picture script for uploading pics onto the ads.

The pics are uploaded to the "images" dir.

The php code which does this requires write access to the directory I am guessing...

So, what permissions would you set to the php upload file, and the images directory?

I am thinking like this:

 drwxr-xr-x

Safe/good or not?

Thanks

ALSO, another short Q: Should I have my websites files owned by the username I have, or should I keep them owned by root?

+1  A: 

drw-r--r-- (644). Be careful with users being able to push php/other scripting and executable files up to your server.

Be careful with users being able to push js and html files up to your website.

Owned by the username you have for your webserver. Don't make root own files it has no business owning. Root is the adminstrator, not your webserver.

Have a look in your php.ini file for upload_tmp_dir =

Dan McGrath  2010-06-02 13:43:53
Okay... but thats my Q, how can I "be careful"... What should I do to prevent them? I have heard about moving the images directory outside my www folder, but haven't looked into it yet. Do you know anything of this?
Camran  2010-06-02 13:45:27
Don't allow code to be executed in your upload directory. Confirm images uploaded are actually images. Don't allow any other uploads. Is there a particular reason you need a non image upload directory?
Dan McGrath  2010-06-02 13:48:27
no, only images are "supposed" to be uploaded to the directory... What about moving the folder outside www?
Camran  2010-06-02 13:49:41
have a look in your php.ini file for 'upload_tmp_dir ='
Dan McGrath  2010-06-02 13:55:04
A: 

make a .htaccess with 

<Files ^(*.jpeg|*.jpg|*.png|*.gif)>
order deny,allow
deny from all
</Files>

to allow only this files to be uploaded. And check with php function before upload in your code.

Moving the folder outside the www-root is good to. You can make apache the owner also.

source

c-verde  2010-06-02 13:55:40

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL