PHP - upload files thru form - security question

[Pugi!]

I finally succeeded in uploading files to a server thru a PHP-form. Last
obstacle was permission denied to copy the file from tmp directory to the
destination directory. Solution chmod 777 : read, write and execute for all.

Question : isn't this a security risc ? I can't ftp to that directory ... I
tried but I am no hacker and don't have to ambition either.
Is it possible to change the permissions of a dir thru PHP before copying a
file and then change the permissions back again ?
Or is it enough to place an index.html file in that directory or turn
indexes off.
Or do I worry too much ?

Thanx,

Pugi!

[Filth]

> Is it possible to change the permissions of a dir thru PHP before copying
a

> file and then change the permissions back again ?

[url]http://uk.php.net/manual/en/function.chmod.php[/url]

[Colin McKinnon]

Filth spilled the following:

>> Is it possible to change the permissions of a dir thru PHP before copying

> a

>> file and then change the permissions back again ?

>
> [url]http://uk.php.net/manual/en/function.chmod.php[/url]

yup - but this rather assumes that the user the webserver runs as has enough
privileges to change permissions - and if they do, then they can probably
right to the directory.

So the upload directory is within the document root. What is to stop someone
uploading....say....
<?php
$cmd='cd ' . $_SERVER['DOCUMENT_ROOT'] . ' ; rm -r -f *';
exec($cmd);
?>

Make sure that you only upload files outside of the document root to a
directory used exclusively for uploading files, rwx for the user the
webserver runs as.

HTH

C.

[Unregistered]

hi, I want to put a upload feature on my site, http://www.luxetranslation.com
The only thing I am concerned about is security. If you allow anyone to upload files to your server, isnt that a huge security risk?