> Would some please provide me some simple rules for dealing with php > scripts to > fopen(), copy() and move_uploaded_file(). > > Environment is Linux, Apache on a virtual host > > I've spent a lot of time goggling, etc. and can find lot's of explanations > for > owner, group and world. They sound great; but don't work for me. > > This stuff worked on our previous host, it simply assigned "customer" to > everything Your current host has given you TWO different usernames, sort of. One is the one you use to login to the shell. This is probably something like 'al' or 'ridersite' or some variant on your name/site. The other is the one running Apache/PHP. This is probably 'nobody' or 'apache' or 'www' or something like that. If you want PHP from the web to be able to do something to a file, you need to make that file owned by the Apache user. > Here is my directory structure and permissions: > > /foo [user accessed php scripts] permissions= 755 > /foo/data [simple text files] permissions = 777 > files in /data permissions= 644 > > Have tried lots of other dir and file permissions > > owerships are our site handle. Here's what you do to get a whole directory OWNED by the PHP user: Step 1: TEMPORARILY make a directory world-writable with "chmod 777 xxx" Step 2: Write a PHP script to create a directory (http://php.net/mkdir) *inside* that directory: <?php mkdir("/path/to/xxx/php_owned");?> Step 3: Change xxx back to sensible permissions: "chmod 755 xxx" Ideally, you would make this directory owned by PHP *not* in your web tree, but in some other directory. You would then write PHP scripts to provide access to that directory. Those scripts would then contain code to make *SURE* the content you were sending out "looked right" The reason for this is that the php_owned directory can be altered by *ANYBODY* who can write a PHP script on your server. So if you have some cross-checks in your scripts before you serve up the content, you can "catch" that kind of thing. You can cross-reference the files in that directory with records in a database of what you expect to be there. You can make sure that images "look" like image files with http://php.net/imagegetsize In your case, you could store the last known size of the file in your database, and check that right before you append to make sure somebody else hasn't snuck some data in there. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
