On Friday 22 September 2006 22:58, Andy Hultgren wrote: > Hi, > I am relatively new to php and am trying to set up a file upload > process for my website. I have read through the php security > documentation and a number of the security-related questions on these > lists and am attempting to implement as many of the measures as > possible. > One of the suggestions I have read is to have the uploaded files saved > somewhere outside of your root directory. Unfortunately I cannot do > that as my root directory is simply www.myDomain.com and not > ".public_html/" and I am on a shared server where my root cannot be > changed (I have already asked). So, I am trying to keep the > permissions on my "saved_files" folder as tight as possible except > when the actual upload occurs. I this as follows: > > 1) The actual file upload comes through Flash8, and when the user > uploads a file it is sent to > www.domain.com/flash8directory/upload.php, which is in the same > directory as the Flash8 upload application. > 2) upload.php first chmod 0740 the "saved_files" folder (which is > located at www.domain.com/flash8directory/saved_files/). Then it does > security checks to make sure an appropriate image has been uploaded, > and if everything looks good it moves the uploaded file to > "saved_files". > 3) The Flash8 upload application is notified of the completion of the > upload and downloads the new image it its viewer. > 4) Once the download is complete and Flash8 no longer needs to work > with the file, the Flash8 application notifies a separate php script > by sending the variable "complete=1" to lockdown.php (located at > www.domain.com/flash8directory/lockdown.php), which runs the following > simple script: > > <?php > > $success = 0; > $complete = $_POST['complete']; > > if ($complete==1) { > if(chmod("./saved_files", 0100)) { > success = yes; > echo "success=yes"; > } > } > ?> > > This script works and "saved_files" is set to chmod 0100, but here is > the problem. If I then navigate directly to the url of the uploaded > file by entering its path in my > browser(www.domain.com/flash8directory/saved_files/uploadedFile.jpg), > the uploaded file appears in my browser! However, if I then refresh > the browser I get the desired error message saying I do not have > permission to access that file. Also, other browser windows never > have access to view the uploaded file, only the browser from which the > file was uploaded. > > Any thoughts on why I can view the uploaded file even though it has > been set to chmod 0100? I'd really rather not have those files > accessible to anyone, as an extra security layer. > > Thank you for your help! > > Andy I don't quite understand why you cannot save to another catalog. is www.myDomain.com yer actual directory name of merely the domain? If either, login to yer domain and simply go either one step up, is that possible? You can also make use of a .htaccess file inside a sub directory to keep others from it till you have checked the file, then move it out in the open or delete after specifications. Do you have access to /tmp ? That one is possible to use, in fact any system wide directory writable by any/you is usable. -- --- Børge Kennel Arivene http://www.arivene.net --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php