folder permissions

**morleymouse** · 06-05-05

so I have this script that allows user to upload a picture, but to do this the folder the pictures are being copied into needs to be writeable.

what if some smart ass decides to save over some pictures? uploaded a huge file to my server and download it a few times? or worse, uploads some script which does bad things?

is there a way where i can make the folder writeable, but only by myscript.php or make it so that myscript.php automatically logs in or identifies itself somehow so that only it can upload?

cheers

**OLBG** · 07-05-05

I dont really know the answer but heres what Id be looking at if doing this

1. Definitely have the user upload area as a separate area from your own images folder, hence you only issue is users overwriting each others images

2. look into how you can have the script itself enable writing to the folder at the start, then allow the changes and then disable. I think the command is chmod 777 to allow all, not sure what the number is to set it back.

3. ive heard that any sort of system where you allow users to upload files can be really dangerous so make sure you only allow image files not .exe, and also read up on the security aspects (I seem to remember reading once about nasty files disguised as jpgs)

**morleymouse** · 07-05-05

1 and 3 already taken care of, on with 2 now. ftp_chmod seems to be what I was looking for

ta

**eskimo** · 11-05-05

You can set a maximum upload size for the files if you are worried about bandwidth. I found this tutorial handy.
http://www.notepad.co.uk/articles/php_tutorial_019.php

**ChrisM** · 11-05-05

You should be ok if you limit to gif/jpg extensions - I think (and may be wrong here!) that the server only sends pictures to the browser rather than opens them (similar to forwarding an email with attachments without opening the attachment) so essentially your server should be ok - however the visitor may be at risk.

As for overwriting one users files by another user, if they're signing up, allocate each user with their own unique id (which I presume you'll do anyway) and just prefix the filename with that when you upload it. At least then you will know who's caused you problems if they do occur later on and get the basball bat out

HTH

Chris

**morleymouse** · 11-05-05

thank ya'll, sorted now, I think. didnt get the folder permissions to change by themselves though, damn php safe mode...

upload file sizes capped, upload file types limited and a few other bits and bobs to keep them all in order