> On Oct 19, 2013, at 7:06 PM, Ashley Sheridan <ash@xxxxxxxxxxxxxxxxxxxx> wrote: > >> On Sat, 2013-10-19 at 18:57 -0400, Joey J wrote: >> >> Hello All, >> >> I just wanted to see the best way to securely accomplish this task. >> when we want to update a DB we upload to a writable directory instead of >> writing it directly to MySQL, I don't like having writable directories if >> possible. >> Is there a right or better way to accomplish this? >> >> Thanks! > > > There's nothing inherently wrong with having a directory writeable on > your web server, but you should ensure it's running with the least > privileges it requires to complete your task. > > So, make sure that the Apache user is also the owner of the directory, > then you only need to give it 755 permissions (it's always unwise to use > 777 on a production server). > > Another thing you can do is to place the upload directory outside your > web root so that it's not accessible via a browser. > > I can see why you wouldn't want to import it directly into the database > though. I recently had to "fix" a script of mine because someone thought > it would be a good idea to change the order of a bunch of fields in a > CSV, and added a new field in the middle rather than at the end. Having > a script in between the CSV and the database can ensure some sort of > data quality check is in-place before importing bad data. > > Thanks, > Ash > http://www.ashleysheridan.co.uk Good points by Ash above. I'd like to mention that because this is user input make sure any database access is escaped correctly (prepared statements are good) and when/if you output it should all be HTML escaped. Best, -Josh ___________________________ http://byjakt.com Currently mobile -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
