On Sat, October 28, 2006 11:47 am, João Cândido de Souza Neto wrote: > I´m in a big doubt about uploading files ins a safe way. > > I wont give permission for the web server user to write in some folder > of my > system and then use move_uploaded_file function in order to keep it > secure. The upload directory should NOT be in your web tree. *BEFORE* you use move_uploaded_file() to put a file into your web tree, you should run every reasonable check you can to prove to yourself that the file is valid format and has content you actually want. If you are on a shared server and don't want PHP to have write access to a directory in your web tree, then don't -- Just move_uploaded_file() to another non web tree directory, and then write a PHP script with http://php.net/readfile or http://php.net/fopen and friends to serve up the files. You can also keep a record in your DB of which files were uploaded, along with some meta-data, so that you can be sure your script only serves up the files you have already vetted. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
