Craig, you seem very knowledgable and I appreciate your help.  I
confused matters by mentioning the word "upload."  I'm actually not
using php to upload the files.  The user ftps the files to the server,
and the ownership permissions prevent php from manipulating the files.

I'm looking for a clear answer on whether giving php permission, or
setting the directory to nobody:nogroup, or whatever, poses a security

How can php be used to edit/delete files without opening a security

Bear with me, I think I"m getting clearer.

>>> "Craig Vincent" <[EMAIL PROTECTED]> 04/19/02 03:07PM >>>
> How?  Manually each time a file is uploaded?  Or with PHP somehow?
> I appreciate your response, but perhaps I'm not clear enough.
> Isn't it quite common to have php creating/editing/deleting files on
> the server?  How is this done in a secure manner?
> Could you explain further?

Well technically unless your admin is using the latest PHP updates,
server is already open to known exploits (albeit most are pretty
to recreate).  Your admin is probably panicing as many others did when
exploits were announced they were mentioned as problems in the file
routines....however most people don't realize that these exploits were
usable whether file uploading was used or not.

In answer to your question the file upload system is fairly secure but
should never rely on it alone.  When it initially uploads the file, the
is stored as a temporary name (so there's no way to execute code with
screwy filename).  And although it shouldn't be an issue regardless, as
as you remove any fancy characters from the true filename before you
it in another area (anything not alphanumeric or a .) you should have
problems whatsoever.

However as was mentioned before, assuming someone did manage to use the
upload system ...the worst damage one could do to a system would be to
erase/modify files associated with the webserver username (or files
open permissions) really worse case scenario if your admin has
done his
job properly is one could manage to erase all the other php uploaded
if they found an exploit.


Craig Vincent

PHP General Mailing List (
To unsubscribe, visit: 

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to