Discussions
Categories
Groups
Advertisement
Child Item
Home
Topics
Technology & Internet
Software & Web Development
Development
PHP Image upload and security
pontovic
Hi
I have a web hosting account with a web host provider and I'm currently devloping a website that has a built in CMS system. My question is how do I get Images loaded up succesfully with the correct permissions while maintaining good security ?
I have the CMS in the directory ~/public_html/cms/ and there is a PHP script in there that facilitates uploading jpg images to a direcory ~/public_html/media/images/ . I had permission errors when trying to upload the file so I did a test and made the ~/public_html/media/images direcotry fully readable and writeable (read, write, execute permission for owner, group, user) and it worked. I dont think this is an idea solution though.
So what is the best thing to do ?
This worked fine on my windows PHP MySQL and Apahce dev environment but it doesnt work so well here.
Any help well appreciated thanks.
Find more posts tagged with
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
Advertisement
Advertisement
Comments
daymobrew
What does the CMS docs suggest? Maybe they have a forum to post to - that way you will target users of the CMS who will probably have encountered the same issue.
pontovic
I wrote the CMS myself in PHP
daymobrew
I suggest looking at other CMS code then.
seamus
You may need to read up a little on how user permissions work in Apache and Unix/Linux.
Afaik when a visitor does something in Apache, the entire script is run with the permissions of the "apache" user.
So what you'll need to do is change the owner of the images directory (and only that directory) to the apache user (you'll need to find the correct username);
chown apache ~/public_html/media/images
Then you need to reset the permission on this directory:
chmod -R 644 ~/public_html/media/images
This gives the apache user read/write access, and everyone else just read access.
PHP and image uploads have always been a thorny issue with me, so I'm not sure if this is best practice. Perhaps someone else may know better.
democrates
The other thing to ensure is that no-one can call the upload script directly without being logged on, and also prevent uploading of executables or renaming to executables, just limit it to what filetypes you want to allow using a regex.
pontovic
Thank you seamus and democrates for your helpful comments. I'll certainly look into that.
Cantab.
I'd say you'll need to get on to the system administrator. It's usual that anything to do with uploading and processing of images is switched off in the PHP configuration - can you imagine the overhead on the server if it was being continuously bombarded with requests to resize, reshape, morph images (PHP has some very nice built-in functions!)? It's a pity it's not widely avaiilable, but mail your hosting company, they might let you in for a small fee.