I always use the ftp functions of php to upload files. I think it´s more safe than move_uploaded_file function. ""Andy Hultgren"" <wearhdphp@xxxxxxxxx> escreveu na mensagem news:3d9c688e0609221358j55d1d49fg9e29969b5028023f@xxxxxxxxxxxxxxxxx > Hi, > I am relatively new to php and am trying to set up a file upload > process for my website. I have read through the php security > documentation and a number of the security-related questions on these > lists and am attempting to implement as many of the measures as > possible. > One of the suggestions I have read is to have the uploaded files saved > somewhere outside of your root directory. Unfortunately I cannot do > that as my root directory is simply www.myDomain.com and not > ".public_html/" and I am on a shared server where my root cannot be > changed (I have already asked). So, I am trying to keep the > permissions on my "saved_files" folder as tight as possible except > when the actual upload occurs. I this as follows: > > 1) The actual file upload comes through Flash8, and when the user > uploads a file it is sent to > www.domain.com/flash8directory/upload.php, which is in the same > directory as the Flash8 upload application. > 2) upload.php first chmod 0740 the "saved_files" folder (which is > located at www.domain.com/flash8directory/saved_files/). Then it does > security checks to make sure an appropriate image has been uploaded, > and if everything looks good it moves the uploaded file to > "saved_files". > 3) The Flash8 upload application is notified of the completion of the > upload and downloads the new image it its viewer. > 4) Once the download is complete and Flash8 no longer needs to work > with the file, the Flash8 application notifies a separate php script > by sending the variable "complete=1" to lockdown.php (located at > www.domain.com/flash8directory/lockdown.php), which runs the following > simple script: > > <?php > > $success = 0; > $complete = $_POST['complete']; > > if ($complete==1) { > if(chmod("./saved_files", 0100)) { > success = yes; > echo "success=yes"; > } > } > ?> > > This script works and "saved_files" is set to chmod 0100, but here is > the problem. If I then navigate directly to the url of the uploaded > file by entering its path in my > browser(www.domain.com/flash8directory/saved_files/uploadedFile.jpg), > the uploaded file appears in my browser! However, if I then refresh > the browser I get the desired error message saying I do not have > permission to access that file. Also, other browser windows never > have access to view the uploaded file, only the browser from which the > file was uploaded. > > Any thoughts on why I can view the uploaded file even though it has > been set to chmod 0100? I'd really rather not have those files > accessible to anyone, as an extra security layer. > > Thank you for your help! > > Andy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
