Re: secure upload file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, May 2, 2006 8:12 pm, kristianto adi widiatmoko wrote:
> how to secure folder upload file since the privilege of this folder is
> 777
>
> is any method to create a secure upload file ??

There is no such thing as "total security"

Here are things you can do to improve security:

1. chown the directory to the user PHP runs as, and make it be 755 or
even 700.

2. If #1 is impossible, because you are not root, you could:
2A. chmod the folder ABOVE your upload directory to 777 TEMPORARILY.
2B. Use PHP script to mkdir() and chmod() new directory inside 2A.
2C. chmod the folder ABOVE your upload directory back to 755
You now have a PHP-user owned directory you can work with, in PHP
scripts, to make more directories, upload files, etc.

3. *MOVE* your upload directory *OUTSIDE* your web-tree, so that
arbitrary files uploaded are simply not something a Bad Guy can surf
to.
3A. Now you have to write a bunch of PHP scripts to manage/view those
files.  Tough.
3B. The scripts you write in 3A can also make all kinds of "sanity
checks" on the files.
3B1. Are the files in your database listing of known files that belong
there?
3B2. Are the files of the right format? E.G. .jpg files should return
reasonable values for http://php.net/getimagesize

REQUIRED READING:
http://phpsec.org

If you write one more line of code without reading the above URL, we
will have no sympathy for you when, when, not if, when your server is
trashed.  Sorry.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux