File upload problem...

ahmonra

Hello!

I have a file-upload script in PHP that copies an uploaded file from the temp directory, into a specified location on my site. Recently i noticed that some of the uploaded files show apache as the owner and not my username. I have been racking my brains trying to figure what I did to mess this up and I can't see my mistake.

Can someone with this kind of experience explain the following to me please:

1) Is there a specific way to tell PHP to copy the file as a particular user instead of defaulting to apache (or nobody)?

2) should I be using PHP's FTP operations to do file upload for any security or performance reasons?

Thank you in advance for any help!

Shaheeb R.

zingbats

This is a stupid question, but can u edit and download the files put on your server?

ahmonra

Actually, the script I'm using right now sets the permissions of any file I upload to be 0777 and in fact the script requires my upload directory to also be 0777. so yes I can download, edit and go nuts with anything in that dir. Thats part of the problem! It strikes me as grossly insecure to leave a public directory that anyone can do anything with.

im working on a solution right now using FTP. becasue the ftp operations will be executed as the server and not as apache, it looks like it should fix the issue. but this means code rewrite of a fairly major portion of my site!

I'll try to post what I find.

Shaheeb