> How is it, if I would create the file itself from the php-script itself? To do *that* you need world-writable permissions on the DIRECTORY to create files inside of it. That means any other user on your computer can *also* create any files they like in that directory. > Would I be able to read the file next time it is called from the website? If that directory is in your web tree, yes, the file would then be available... Along with any other files your co-users have decided to throw into your web-site! This is probably worse than having a single world-writable file. :-( Constructive Suggestions: Move the file[s] *OUT* of the web tree. If you want them visible to the outside world, write a PHP script to display the non-web files. As each file is created, record it in your DB, and only allow the display of files in your DB. Now a hacker needs to create a file in that direcotry *AND* hack your DB to mess up your web-site. Check the contents of the files before you display them. Odds are pretty good that there are all sorts of things you can check to be sure the files you have "look" like they should. Page yourself with a 911 if a suspicious file shows up. Give the files (and their containing directory) the *MINIMUM* permissions required to make it all work. No eXecute. No user-readable/writable. *ONLY* the world readable/writable. Or, if you control the server, change that around and make the files owned by "nobody" and *ONLY* user readable/writable. Run a cron job to "chmod 006 *" (or whatever you chose above) on that directory every few minutes, so if a hacker manages to force a bad file in there, you'll make it less usable. Run a cron job every once in a while to check that every file in the DB has a file in the directory and vice-versa. Page yourself if files appear mysteriously. So no file can get added in either place alone without setting off an alarm. Actually, you'll need to be careful that no false alarms happen in the midst of files being added... So, do the INSERT into your DB before the copy(), timestamp the insertion, and don't alarm for any file added to the DB but not the directory in the past minute or two. This is hardly rock-solid, and any reasonably intelligent malicious user sharing your machine will eventually be able to figure out how to mess you up, but is closer to "acceptable risk" than world-writable files laying around in your web tree. Hopefully, though, your pro-active measures will have you catching them in the act of trying to figure out how to break in, rather than them catching you with your pants down. The idea is to keep a very, very close eye on what goes in there, and be sure it's what is *supposed* to be there. All this won't stop a determined, smart hacker. But it will catch the script-kiddies and wannabes. Disclaimer: I'm no security expert... -- WARNING [EMAIL PROTECTED] address is an endangered species -- Use [EMAIL PROTECTED] Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm Volunteer a little time: http://chatmusic.com/volunteer.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
