OJB Posted March 15, 2008 Share Posted March 15, 2008 Hey everyone I have just about finished building this custom script I wrote... Problem is I have 3 folders I need to allow people to upload to and delete from... but if i have CHMOD any lower than 755 it doesn't seem to allow this. Would 755 be secure enough? I only allow uploads in the form of .zip/.rar/.mp3/.gif/.jpg/.jpeg via checks in PHP... but the last thing I want to do is allow my site to be compromised and get shut down for security reasons Quote Link to comment Share on other sites More sharing options...
OJB Posted March 15, 2008 Author Share Posted March 15, 2008 755 seems to work fine at the moment for me.. I can upload and delete Quote Link to comment Share on other sites More sharing options...
OJB Posted March 15, 2008 Author Share Posted March 15, 2008 ^ ignore that, after more testing it requires 777 but 777 screams DANGER!! Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted March 15, 2008 Share Posted March 15, 2008 but 777 screams DANGER!! Yes it does. That's why uploading should be done with FTP and valid user/password combinations. Quote Link to comment Share on other sites More sharing options...
OJB Posted March 15, 2008 Author Share Posted March 15, 2008 Unfortunately FTP is not really an option for my site.... I have people registering, paying for the service, uploading some files, being able to delete the files (from the DB and server)... I can't really register FTP accounts for everyone, and also, I need to allow certain people access to certain other peoples files (to download).... It's all quite complex... and I can't really think of a better way of doing it, but 777 *sigh* Quote Link to comment Share on other sites More sharing options...
TCH-Bruce Posted March 15, 2008 Share Posted March 15, 2008 There is no way around the 777 permissions using a script to upload since the script is running as user "nobody" the default user for the web server. If you were working with only one folder you could ask the help desk to change the ownership of the folder to user "nobody" and then be able to set it to 755 but still, anything would be able to be put into that folder and run from that folder. Quote Link to comment Share on other sites More sharing options...
Samrc Posted March 19, 2008 Share Posted March 19, 2008 I have people registering, paying for the service, uploading some files, being able to delete the files (from the DB and server) Can this folder be placed in a password protected area to limiit access to your only your registered clients, whick limits exposure for your website? I use an upload form and folder stored within a password protected directory for clients that just can't handle FTP software but are not a great hazard for me as I have limitations for size and type of files within the upload form also. Quote Link to comment Share on other sites More sharing options...
TCH-Andy Posted March 19, 2008 Share Posted March 19, 2008 You can also use .htaccess to prevent anything being run from the folder. Just make sure you only give read access ( not write ) on the .htaccess file Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.