Re: File upload permissions

eclipsme wrote:
Jerry Stuckle wrote:
eclipsme wrote:
Perhaps I have not approached this correctly and need to rethink it. Please, let me tell you what I am trying to do. Perhaps there is a better way.

The database is for agendas, minutes and audio of various city meetings. Each 'agency', like the city council, or redevelopment, has its own table. The table holds only the name of the file, and the path to the file is coded in the web pages.

I have written a script that takes input from a form, enctype="multipart/form-data" and fields, type="file", and uses the PHP command 'move_uploaded_file' to put the file where I want it. The script then updates the database. This is the 'OTHER' directory referred to - PHP uploads to a tmp directory then moves it to the final destination. This is not important, I think, to the discussion.

You say, the "and run it" part isn't true if it's not inside the document tree (and if it is inside the document tree, that's incredibly
dangerous)."

The directories *are* in the tree - /public_html/CRA/agendas, for instance. This is what you are referring to as incredibly dangerous, right? This is why I wanted to be able to limit permissions to 775. Is the real problem where I am saving these files? Mind you, the files are public files. I don't care if people can access them directly. I do care if scripts or other files can be loaded by others.

Do I need to redo and keep these files below the web root? If so, will these permission issues still apply? Will 777 be ok?

Finally, how does a web page access these files?

Thank so much for taking the time.
Harvey


Look at the file extension, and only allow certain extensions to be uploaded.

If your webserver is set up correctly, it won't execute .txt, .pdf, etc. files. It will just serve them.

I have included this checking in the script. So, are you saying that having these files in the tree is ok? and that 777 would be ok?

Sorry to be such a bother.

Harvey


777 has nothing to do with whether the file is executable or not. It has EVERYTHING to do with security from other users on your shared host.

No, it is NOT good to have 777. In fact, I would say 640 is the most you should have (web scripts are NOT executable).

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================

.

Relevant Pages

  • Executing Informix dbaccess in a Windows background environment
    ... Our main objective is to execute an Informix stored procedure that will ... to create an sql script file each day, and to execute it using dbaccess. ... connecting to the database server. ...
    (comp.databases.informix)
  • Re: File upload permissions
    ... The database is for agendas, minutes and audio of various city meetings. ... The script then updates the database. ... You say, the "and run it" part isn't true if it's not inside the document tree (and if it is inside the document tree, that's incredibly ... Look at the file extension, and only allow certain extensions to be uploaded. ...
    (comp.lang.php)
  • Re: script "chaining"
    ... If a task would take too long to run while attached to the browser, the current system writes the data to a database file. ... The daemon checks that file every 10 seconds and executes the task, writing the data back to database. ... If you take the A out of LAMP you can write a php script like a bash script or a perl script and execute it. ...
    (comp.lang.php)
  • Re: Permission denied
    ... This script is a little different that others ... I've written in that it inserts records into a database table. ... the error above when I execute it on a server. ... permissions. ...
    (microsoft.public.windows.server.scripting)
  • Re: what word will stop everything after it in a SQL script?
    ... That will only work if your entire script does not have a GO statement ... > Need smaller SQL2K backup files? ... >> Suddenly it wants to execute everything on the screen. ... >> and I don't want to specify a real database name. ...
    (microsoft.public.sqlserver.programming)