Is there any way to not set the permissions on a UNIX server to 777 for a directory to which the client is going to upload files? I've got the following code in the upload function -

//if the picture is a jpeg or gif, upload it..
	$fileDir="../catalog/images/products/";
	foreach($imgInfo as $fileName=>$fileArray){
		if(is_uploaded_file($fileArray['tmp_name'])){
			if(($fileArray['type'] == "image/gif") || ($fileArray['type'] == "image/pjpeg")){
				move_uploaded_file($fileArray['tmp_name'], "$fileDir".$fileArray['name']);
				$imgName=$fileArray['name'];
			}
		}else{
			$retVar="Your image must be a .jpg or .gif image.  Please convert the image and try again...";
			break;
		}
	}

- which should allow the user to only upload jpegs or gifs, but I'm a little squeamish about leaving the directory open on the hosting server. Is this something I shouldn't worry about, or is it possible to set the permissions at run time only for this operation? I've tried setting the perms before - it didn't work - but that was on a different server. May give it a shot anyhow, just thought some advice from the wise peeps here would go a long way toward making an argument either way to the boss, if you know what I mean...

ps - just looked at it closer and realized that my else clause is in the wrong place to give the proper error message. Went ahead and moved it up and added another break if the image is not an uploaded file...

Thanks in advance for any help or advice...

    one major thing you can do is make the upload directory lower than the /www or /html directory, so uploaded files cannot be directly accessed.

    Also, with only uploading images, you can set a file size restriction

      Write a Reply...