Jump to content
xisto Community
Sign in to follow this  
sonesay

Securing Upload Directory proper way to do it?

Recommended Posts

I've just tried to test my upload script on the Xisto hosting server and unsure whats the proper way to keep the upload directory secure.How I have it setup locally:my 'uploads' folder is chown to 'nobody' and set 775. The reason I set it to 'nobody' is when it was set to 777 the files uploaded where by 'nobody' so I'm assuming thats what xampp is doing. This seems to work but if there is a proper way do tell.How I have it on Xisto:'uploads' folder is set back to 774 (when it was on 777 uploads work but I'm sure it not safe this way?). so now I get permissions error. I'm guessing if I get php file to create the folder it would have its permission but there must be a better way to do this?Another thing: I dont have any checks so any file can be uploaded. I looked on the php.net page where I got the code and people have suggested ways on securing it but most just seem like weak validation. Does anyone one know how to properly handle files being uploaded and restrict it only to real images?

post-45102-1227524214_thumb.png

Share this post


Link to post
Share on other sites

Having the PHP file create the folder may be equal to chmodding the folder to 0777—but don't quote me on this. The only way i can think of to keep things as secure as i would assume you would want would be to have a program on the server side that is owned by the same user or group that the folder you are trying to upload to has, which the PHP script(s) communicate(s) with by sending it all the data it needs (e.g. the temporary name of the uploaded file and what mimetype it should be and where to move it to if all is green). This, i would say (or at least in theory), should allow a directory with 0774 permissions to "accept" uploads from users while keeping things satisfyingly secure. However, this may require more access to the server in order to make this executable work the way you want. The only implication i can think of is when it comes time to allow the user to delete what they've uploaded (assuming this is in a multi-user environment), as you wouldn't want users deleting things that aren't theirs. But that shouldn't be (much of) a problem if you have the script check a database of who uploaded the file.

Share this post


Link to post
Share on other sites

I have a permissions problem when I try and run my mkdir.php file on the Xisto server.

I have set my folders of 'si' and file 'mkdir.php' to 777 and I still get permission denied error. Is there something else I can do?

<?phpmkdir("testfolder", 0700);?>

Luckily for me I'm only building this for my own personal use so validating is just something I was hoping to sort out if I ever want to build something where other users can upload files. The mimetype is one way to help but it has been noted on the php.net site as being client side validation by the browser so it can be tricked.

I think the other method I came across was reading the file size and also reading the first few bytes to determine if it was indeed an image file but so far I still haven't been able to locate that information again.

post-45102-1227556932_thumb.png

Share this post


Link to post
Share on other sites

I have a permissions problem when I try and run my mkdir.php file on the Xisto server.
I have set my folders of 'si' and file 'mkdir.php' to 777 and I still get permission denied error. Is there something else I can do?

You don't need to set mkdir.php to 0777 for it to create folders. Setting the folder that mkdir.php is in to 0777 should have allowed the script to create the folder in the current working directory. I'm not sure what would be the problem.

Share this post


Link to post
Share on other sites

You don't need to set mkdir.php to 0777 for it to create folders. Setting the folder that mkdir.php is in to 0777 should have allowed the script to create the folder in the current working directory. I'm not sure what would be the problem.

Yeah I was thinking that as well but somehow it just didn't work.

I have got it to work now but yeah the whole process was a head ache.

as it is now:
si folder is 775
mkdir.php is 775 but it wont execute anymore since I removed executable from it. (it doesn't matter since I already have the folder created)
testfolder is 750 (my image upload folder) was created by mkdir.php (I cant delete this now with cpanel because its not owned by me. rmdir() wont work either because it has files in there (my uploaded images)).

It works but I have to tidy it up. I'm not sure why but under file manager in cpanel my view of testfolder is always empty but I can browse and view its contents at http://forums.xisto.com/no_longer_exists/. I'm thinking now the only way to remove it is to write a php script. I saw one just earlier when I was looking up information on removing directories where it checked for files inside the directory and removed them all before removing the parent folder. /sigh

Share this post


Link to post
Share on other sites

I'm thinking now the only way to remove it is to write a php script. I saw one just earlier when I was looking up information on removing directories where it checked for files inside the directory and removed them all before removing the parent folder.

My gallery script has a function that recursively scans a folder and pulls up all the files; i'll pull it up. However, you'll have to work out a way to differentiate between directories and files so you don't get the same message, then you just delete the directories after deleting the files:
function deepscan($dir){	if (!preg_match("/\/$/", $dir)){		$dir .= "/";	}	$files = array();	if ($handle = opendir($dir))	{		while (false !== ($file = readdir($handle)))		{			if ($file != "." && $file != "..")			{				if (is_dir($dir.$file)){					$files[] = $dir.$file;					$files = array_merge($files, deepscan($dir.$file));				} else {					array_push($files, $dir.$file);				}			}		}		closedir($handle);	}	sort($files);	return $files;}

Share this post


Link to post
Share on other sites
using my uploaded images Securing Upload Directory

please tell me if I am on the right track. I am busy with my website that allows members to upload a car image. I mange to upload these very well using php which stores it in my host directory called images. Its there and I only see numbers wen I open them, is there another script to retrieve this to my c: files,

AFTER they are uploaded..This is what I wanna do..Save thes to a database. On my website page there is a block for each car. I then need to upload this to a block. And then have a search button for eg; ford etc.. Is this possible or am I doing it all wrong. The site is up and running with no actual cars cos they all on my host and I dnt know how to get it out of there, sorry I am not a developer or a programmer.  I have done this with trial and error. I dnt know if I am allowed to mention the site address ..So someone can check it out and give me some tips ...

-question by shabeer

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.