What is the safe way to implement file upload in PHP?

**Atli** · Nov 16 '07, 02:32 PM

Hi. Welcome to TSDN!

The safest way to give PHP control over a folder without causing security issues is to have PHP create the folder itself. Use the mkdir function to create the folder, which will make PHP it's owner, allowing it write access but giving only read/execute access to anybody else.

Another safe way is to store the images outside the web-root, making it unreachable through the HTTP server. But that solution will require you script to be able to fetch and display the image when you want it displayed.
The first solution does not require this and will probably be a little faster for that reason.

**mwasif** · Nov 16 '07, 03:12 PM

In addition to Atli's suggestions, make sure that users can only upload image files.

**olddocks** · Nov 16 '07, 08:01 PM

Originally posted by Atli

Hi. Welcome to TSDN!

The safest way to give PHP control over a folder without causing security issues is to have PHP create the folder itself. Use the mkdir function to create the folder, which will make PHP it's owner, allowing it write access but giving only read/execute access to anybody else.

Thanks atli :) You mean to say i have to use FTP functions in PHP or file system functions. If anybody could post a sample code, that would be great!

**Atli** · Nov 16 '07, 10:33 PM

Originally posted by olddocks

Thanks atli :) You mean to say i have to use FTP functions in PHP or file system functions. If anybody could post a sample code, that would be great!

Yes and no. Although mkdir is a FTP command, it is also a PHP function, belonging the the File System Functions.

This is the example in the PHP documentation for the mkdir function:
[code=php]
<?php
mkdir("/path/to/my/dir", 0700);
?>
[/code]

The parent directory of the folder you want to create must be accessible to PHP so it may be necessary to use FTP to chmod 777 the parent directory. But you should revert back to 755 once the new folders have been created.

**pbmods** · Nov 17 '07, 04:32 AM

Heya, olddocks.

The trick is also to set the file's owner and group to the same owner and group that the webserver runs as (usually 'apache' or 'www').

Are you working on a professionally-hosted server, or are you developing on your own computer?

**olddocks** · Nov 17 '07, 10:33 AM

yes, i am a professional hosting on vps plan. Here is what i have planned to do to safely do a file upload.

1. Store images outside www root with 777 permission and then later read the image file with a php script like getimage.php?id =1982. Since i had used 777 i disallow running executable files there with .htaccess

[PHP]# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi .txt
Options -ExecCGI
[/PHP]

2. I will try using ftp function to upload with mkdir() function. Still, I will need to experiment with that/

3. Third option is storing small images in mysql. As i will be using small avatar like images in mysql, i dont think performance would be an issue there.

Nonethless, i am not taking any chances with the security matters. I will take my time with this. Any feeback or suggestions would be more than helpful.

BTW: This forum is great with PHP matters!

What is the safe way to implement file upload in PHP?

What is the safe way to implement file upload in PHP?

Comment

Comment

Comment

Comment

Comment

Comment