steve miller wrote:
Patrick,
The php scripts run as "www" on the webserver, but the directories are
owned by "steve" and I believe that group is "wheel". I don't really
have access to be able to change all the file owners. The problem is
that I need "www" to have "write" permission, which means that the whole
web can do so as well. I have noticed that this same issue is present in
popular opensource applications, like osCommerce, which is actually
where I had the problem. Their images file needs "write" permission to
receive new product images when you upload them. Someone installed a
shell program in it!!
I have been advised that I may have to run php as a cgi in order to
protect the directories...
On file upload you could use getimagesize()
http://www.php.net/manual/en/function.getimagesize.php
to check that the file is actually an image file.
As a second line of defense, you could use .htaccess on the directory so
it doesn't allow files in that directory to run. I'd have to look up
exactly how that's done.
Sheila
http://www.shefen.com/
____ The WDVL Discussion List from WDVL.COM ____
To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] or
use the web interface http://e-newsletters.internet.com/discussionlists.html/
Send Your Posts To: [email protected]
To change subscription settings, add a password or view the web interface:
http://intm-dl.sparklist.com/read/?forum=wdvltalk
________________ http://www.wdvl.com _______________________
You are currently subscribed to wdvltalk as: [email protected]
To unsubscribe send a blank email to [EMAIL PROTECTED]
To unsubscribe via postal mail, please contact us at:
Jupitermedia Corp.
Attn: Discussion List Management
475 Park Avenue South
New York, NY 10016
Please include the email address which you have been contacted with.
