Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

PHP Image upload and security

Options
  • 11-07-2006 11:26pm
    #1
    pontovic
    Closed Accounts Posts: 658 ✭✭✭


    Hi

    I have a web hosting account with a web host provider and I'm currently devloping a website that has a built in CMS system. My question is how do I get Images loaded up succesfully with the correct permissions while maintaining good security ?

    I have the CMS in the directory ~/public_html/cms/ and there is a PHP script in there that facilitates uploading jpg images to a direcory ~/public_html/media/images/ . I had permission errors when trying to upload the file so I did a test and made the ~/public_html/media/images direcotry fully readable and writeable (read, write, execute permission for owner, group, user) and it worked. I dont think this is an idea solution though.

    So what is the best thing to do ?

    This worked fine on my windows PHP MySQL and Apahce dev environment but it doesnt work so well here.

    Any help well appreciated thanks.


Comments

  • Options
    #2
    daymobrew
    Registered Users Posts: 6,508 ✭✭✭daymobrew


    What does the CMS docs suggest? Maybe they have a forum to post to - that way you will target users of the CMS who will probably have encountered the same issue.


  • Options
    #3
    pontovic
    Closed Accounts Posts: 658 ✭✭✭pontovic


    I wrote the CMS myself in PHP :)


  • Options
    #4
    daymobrew
    Registered Users Posts: 6,508 ✭✭✭daymobrew


    I suggest looking at other CMS code then.


  • Options
    #5
    seamus
    Registered Users Posts: 68,317 ✭✭✭✭seamus


    You may need to read up a little on how user permissions work in Apache and Unix/Linux.

    Afaik when a visitor does something in Apache, the entire script is run with the permissions of the "apache" user.

    So what you'll need to do is change the owner of the images directory (and only that directory) to the apache user (you'll need to find the correct username);
    chown apache ~/public_html/media/images

    Then you need to reset the permission on this directory:
    chmod -R 644 ~/public_html/media/images

    This gives the apache user read/write access, and everyone else just read access.

    PHP and image uploads have always been a thorny issue with me, so I'm not sure if this is best practice. Perhaps someone else may know better.


  • Options
    #6
    democrates
    Closed Accounts Posts: 2,046 ✭✭✭democrates


    The other thing to ensure is that no-one can call the upload script directly without being logged on, and also prevent uploading of executables or renaming to executables, just limit it to what filetypes you want to allow using a regex.


  • Advertisement
  • Options
    #7
    pontovic
    Closed Accounts Posts: 658 ✭✭✭pontovic


    Thank you seamus and democrates for your helpful comments. I'll certainly look into that.


  • Options
    #8
    Cantab.
    Closed Accounts Posts: 1,444 ✭✭✭Cantab.


    I'd say you'll need to get on to the system administrator. It's usual that anything to do with uploading and processing of images is switched off in the PHP configuration - can you imagine the overhead on the server if it was being continuously bombarded with requests to resize, reshape, morph images (PHP has some very nice built-in functions!)? It's a pity it's not widely avaiilable, but mail your hosting company, they might let you in for a small fee.


Advertisement