Leaving Directory 777 for PHP needs

Schmeg007

Hey guys,

I recently installed a PHP Gallery on my website, after trying out 4 others and either failing or not liking their functionality. I have an option on my gallery that allows users to upload their own images, but I don't know how safe this is for my site. For this to work I had to leave a folder open with full access (777'd it), otherwise the PHP script would fail because it could not write to that directory.

My question is, is this a bad idea to have a directory open to the public like I do now?

Should I look into a different form of user submitted pictures?

How can I reduce the security risks that my site may currently be experiencing?

I figured this was the best place to ask it because I'm sure all you PHP guru's have dealt with something like this in the past. Thank you guys.

HalfaBee

Depending on how your host is set up, 755 or 644 should be adeqate to do file uploads.

Otherwise you could change the permissions when needed in the script. There may be a slight risk of failing due to scripts being executed at the same time ( unlikely ).

The big danger is someone on your server uploading a script to that directory allowing them full access. You could disable php scripts in that dir using .htaccess.

HalfaBee

Storyman

The big danger is someone on your server uploading a script to that directory allowing them full access. You could disable php scripts in that dir using .htaccess.

Anyone know how to disable PHP scripts in a directory using .htaccess?

drawmack

the appache manual will tell you all about htaccess files.

what you can do is use the ftp functions to wrapper the code so that php doesn't need write access to the directory you are saving the files to but that would require you modify the image gallery code.