For whatever reason when I ftp in using WinFtp I don't see public_html (it's hidden, don't know why; if I make a directory called ".public_html" it gets created and then disappears), but I can see my file structure from my host's website and so I know that when I ftp in to myDomain.com this is what is "there": index.htm page1.htm page2.htm .public_html/ images/ etc. etc. Currently nothing is stored in my .public_html directory since it is not my root (and my website loads just fine when browsed to). I don't ftp in from DreamWeaver and it isn't an issue of going straight to public_html just to skip the cd step. public_html just isn't set up as my root directory and I have no directories accessable that are higher than my root. So, since I have no access to directories outside of my root, do you really think I should change that before allowing file uploads? (either by changing servers or just bugging my server adminstrator until he changes it). I currently check extension type and then image type using get_image_size(); and also files with image extensions are not executable on the server. However, from what I've read I understand that those steps are the minimum in terms of file upload security. Also, I'd be curious still to hear why I can browse to a file in a directory that has been set with chmod 0100. I really didn't expect that. Thanks again very much for your thoughts, Andy On 9/22/06, Richard Lynch <ceo@xxxxxxxxx> wrote:
I may have hit "send" too soon... Like, when you do FTP, do you see: index.htm page2.htm page3.htm right away? *OR*, do you see: public_html And then you do "cd public_html" and THEN you see the files? If you don't do "cd public_html" then I really don't think accepting file uploads is a Good Idea, unless you have access to /tmp or something to put the files in... If you do "cd public_html" then you actually HAVE space outside your webtree. Just do "mkdir uploads" and "chmod 777 uploads" *BEFORE* you do "cd public_html" and you'll have an uploads dir outside the webtree where you can put stuff. NOTE: Some fancy FTP tools like DreamWeaver and whatnot will convince you to put "public_html" into some input box somewhere, to give you the convenience of not needing to "cd public_html" -- which then means you never *SEE* that you have space outside your webtree... Stop doing that. An extra click or whatever to get into public_html is not that big of a deal. On Fri, September 22, 2006 7:21 pm, Andy Hultgren wrote: > So pretty much there's nothing to be done about it? If I can get the > chmod thing to make it so that you can't surf to your uploaded image > afterwards and view it, I'd be happy with that solution. I'd like to > stick with this host if I could. > > On 9/22/06, Richard Lynch <ceo@xxxxxxxxx> wrote: >> On Fri, September 22, 2006 3:58 pm, Andy Hultgren wrote: >> > that as my root directory is simply www.myDomain.com and not >> > ".public_html/" and I am on a shared server where my root cannot >> be >> >> I got two words for you: >> >> Change Hosts >> >> -- >> Like Music? >> http://l-i-e.com/artists.htm >> >> >> > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- Like Music? http://l-i-e.com/artists.htm
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
