Working with Permissions in PHP, Part 1
Subject:   CHMOD
Date:   2007-05-07 10:00:17
From:   samxz
This is a good article about CHMOD

Setting CHMOD is a no no!
Setting 766 for the files you want to write opens you up to hackers that are on your shared host account!

I recommend to use SQL to store data, you need a user id and password to have access to it.
Very secure and easy to use!

Full Threads Oldest First

Showing messages 1 through 1 of 1.

    2007-07-08 07:54:30  samxz [View]

    After recent work with phpBB I found out there are many exploits for hackers with embeding PHP in gif or jpg files.

    So CHMOD to 766 will not protect you fully.

    Best way is to use htaccess pasword protected directories for storing user uploaded files.
    Depending on a server configuration one can change mod to 777 on htaccess password protected dir, but other times you cannot and can only write to a file if a file exists.
    (So unless you are 777 you cannot write to a new file.)
    To get around writing to a new file problem store the uploaded files in a sub directory of root not in public_html
    Then you will be fully protected, because one cannot access that directory from www

    Another nice trick, is to change mod in PHP when you write to a file to public and change the mod back to global after finished writting.

    This is also handy, write to a temp file then flush it with heloo!

    Okay Foo to you all.