Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

PHP Image upload and security

  • 11-07-2006 10:26pm
    #1
    Closed Accounts Posts: 658 ✭✭✭


    Hi

    I have a web hosting account with a web host provider and I'm currently devloping a website that has a built in CMS system. My question is how do I get Images loaded up succesfully with the correct permissions while maintaining good security ?

    I have the CMS in the directory ~/public_html/cms/ and there is a PHP script in there that facilitates uploading jpg images to a direcory ~/public_html/media/images/ . I had permission errors when trying to upload the file so I did a test and made the ~/public_html/media/images direcotry fully readable and writeable (read, write, execute permission for owner, group, user) and it worked. I dont think this is an idea solution though.

    So what is the best thing to do ?

    This worked fine on my windows PHP MySQL and Apahce dev environment but it doesnt work so well here.

    Any help well appreciated thanks.


Comments

  • Registered Users, Registered Users 2 Posts: 6,571 ✭✭✭daymobrew


    What does the CMS docs suggest? Maybe they have a forum to post to - that way you will target users of the CMS who will probably have encountered the same issue.


  • Closed Accounts Posts: 658 ✭✭✭pontovic


    I wrote the CMS myself in PHP :)


  • Registered Users, Registered Users 2 Posts: 6,571 ✭✭✭daymobrew


    I suggest looking at other CMS code then.


  • Registered Users, Registered Users 2 Posts: 68,317 ✭✭✭✭seamus


    You may need to read up a little on how user permissions work in Apache and Unix/Linux.

    Afaik when a visitor does something in Apache, the entire script is run with the permissions of the "apache" user.

    So what you'll need to do is change the owner of the images directory (and only that directory) to the apache user (you'll need to find the correct username);
    chown apache ~/public_html/media/images

    Then you need to reset the permission on this directory:
    chmod -R 644 ~/public_html/media/images

    This gives the apache user read/write access, and everyone else just read access.

    PHP and image uploads have always been a thorny issue with me, so I'm not sure if this is best practice. Perhaps someone else may know better.


  • Closed Accounts Posts: 2,046 ✭✭✭democrates


    The other thing to ensure is that no-one can call the upload script directly without being logged on, and also prevent uploading of executables or renaming to executables, just limit it to what filetypes you want to allow using a regex.


  • Advertisement
  • Closed Accounts Posts: 658 ✭✭✭pontovic


    Thank you seamus and democrates for your helpful comments. I'll certainly look into that.


  • Closed Accounts Posts: 1,444 ✭✭✭Cantab.


    I'd say you'll need to get on to the system administrator. It's usual that anything to do with uploading and processing of images is switched off in the PHP configuration - can you imagine the overhead on the server if it was being continuously bombarded with requests to resize, reshape, morph images (PHP has some very nice built-in functions!)? It's a pity it's not widely avaiilable, but mail your hosting company, they might let you in for a small fee.


Advertisement