PHP upload

goodyear · 27th July 2003, 03:51 PM

Hi

I'm writing a script to allow contributors to upload pdf files to a site.

What I was wondering is, what permissions does the target directory need to accept the move_uploaded_file()'d file and make the file readable by a browser?

Goodyear

leafish_paul · 27th July 2003, 04:37 PM

I think just read and write permissions for owner, group and public, or chmod 766. If that doesn't work, try read/write/execute allowed for all, or chmod 777.

goodyear · 27th July 2003, 08:23 PM

Will permissions set this way cause me security headaches?

The upload script is going to be restricted to two people who I know, so theoretically no-one else will have access to it anyway.

leafish_paul · 27th July 2003, 08:54 PM

As far as I know, you have to set the permissions on the directory you wish to copy the uploaded file to to at least 766. Having read the PHP documentation, it even says "remember to do a chmod -c -v 0777 on the directory you want your uploaded files to be moved to."

Please someone correct me if I'm wrong! Perhaps you could set the directory's permissions to 777, then remove permissions one at a time (starting with public execute, then group execute, then public write, etc...) until the script breaks to avoid 'security headaches'.

You could always have a look at this, which may save you re-inventing the wheel.

goodyear · 27th July 2003, 09:31 PM

I like reinventing the wheel.

Seriously, though, I actually enjoy figuring this stuff out and doing it myself! (No, really...

)

leafish_paul · 27th July 2003, 09:38 PM

Sure, I know what you mean - its often nicer to write something yourself: its easier to read/understand and maintain, and does exactly what you want - pre-written packages can be overkill.

However, I would advise looking through the PEAR code - there's loads of good stuff in there, and that HTTP Upload one in particular covers all the important aspects of uploading files with HTML forms - namely vaildating the upload, file types and sizes and security. You'll probably ended up pulling a lot of code from it. I know I did... ;)

goodyear · 27th July 2003, 09:39 PM

It needs at least 757.

What are the implication for having a directory set to this?

And is there any way round it?

leafish_paul · 27th July 2003, 09:55 PM

Quote:

Originally posted by goodyear
What are the implication for having a directory set to this?

Not sure, really. Probably only effects you if someone else can access your file area on the shared server you are on...? Or if someone manages to SSH in? I'm not that well-versed on this. I'm off to have a read. I've got several directories on different sites set to 777 for forums, CMS scripts we wrote ourselves and the like... never really worried about it...

Quote:

And is there any way round it?

Again, no idea. Not from what I could gather from the PHP docs tho... essentially the user that is running PHP or Apache ('nobody'?) requires write access to that directory... anybody else have a better idea of this than me?