Re: [PHP] secure upload file
disabled indexes in .htaccess. On 5/3/06, Richard Lynch <[EMAIL PROTECTED]> wrote: On Tue, May 2, 2006 8:12 pm, kristianto adi widiatmoko wrote: > how to secure folder upload file since the privilege of this folder is > 777 > > is any method to create a secure upload file ?? There is no such thing as "total security" Here are things you can do to improve security: 1. chown the directory to the user PHP runs as, and make it be 755 or even 700. 2. If #1 is impossible, because you are not root, you could: 2A. chmod the folder ABOVE your upload directory to 777 TEMPORARILY. 2B. Use PHP script to mkdir() and chmod() new directory inside 2A. 2C. chmod the folder ABOVE your upload directory back to 755 You now have a PHP-user owned directory you can work with, in PHP scripts, to make more directories, upload files, etc. 3. *MOVE* your upload directory *OUTSIDE* your web-tree, so that arbitrary files uploaded are simply not something a Bad Guy can surf to. 3A. Now you have to write a bunch of PHP scripts to manage/view those files. Tough. 3B. The scripts you write in 3A can also make all kinds of "sanity checks" on the files. 3B1. Are the files in your database listing of known files that belong there? 3B2. Are the files of the right format? E.G. .jpg files should return reasonable values for http://php.net/getimagesize REQUIRED READING: http://phpsec.org If you write one more line of code without reading the above URL, we will have no sympathy for you when, when, not if, when your server is trashed. Sorry. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- Anthony Ettinger Signature: http://chovy.dyndns.org/hcard.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] secure upload file
On Tue, May 2, 2006 8:12 pm, kristianto adi widiatmoko wrote: > how to secure folder upload file since the privilege of this folder is > 777 > > is any method to create a secure upload file ?? There is no such thing as "total security" Here are things you can do to improve security: 1. chown the directory to the user PHP runs as, and make it be 755 or even 700. 2. If #1 is impossible, because you are not root, you could: 2A. chmod the folder ABOVE your upload directory to 777 TEMPORARILY. 2B. Use PHP script to mkdir() and chmod() new directory inside 2A. 2C. chmod the folder ABOVE your upload directory back to 755 You now have a PHP-user owned directory you can work with, in PHP scripts, to make more directories, upload files, etc. 3. *MOVE* your upload directory *OUTSIDE* your web-tree, so that arbitrary files uploaded are simply not something a Bad Guy can surf to. 3A. Now you have to write a bunch of PHP scripts to manage/view those files. Tough. 3B. The scripts you write in 3A can also make all kinds of "sanity checks" on the files. 3B1. Are the files in your database listing of known files that belong there? 3B2. Are the files of the right format? E.G. .jpg files should return reasonable values for http://php.net/getimagesize REQUIRED READING: http://phpsec.org If you write one more line of code without reading the above URL, we will have no sympathy for you when, when, not if, when your server is trashed. Sorry. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] secure upload file
In Apache's Config: Options None AllowOverride Options Order allow,deny Allow from all RedirectPermanent * "somewhere else" By using that and uploading to the upload_dir via another script, you create a black hole. Stuff comes in but can't be accessed from the outside world afterwards. Wolf kristianto adi widiatmoko wrote: > can any body help me !! > > how to secure folder upload file since the privilege of this folder is 777 > > is any method to create a secure upload file ?? > > Send instant messages to your online friends http://uk.messenger.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] secure upload file
can any body help me !! how to secure folder upload file since the privilege of this folder is 777 is any method to create a secure upload file ?? Send instant messages to your online friends http://uk.messenger.yahoo.com