问题
I have a classifieds website with a picture script for uploading pics onto the ads.
The pics are uploaded to the "images" dir.
The php code which does this requires write access to the directory I am guessing...
So, what permissions would you set to the php upload file, and the images directory?
I am thinking like this:
drwxr-xr-x
Safe/good or not?
Thanks
ALSO, another short Q: Should I have my websites files owned by the username I have, or should I keep them owned by root?
回答1:
drw-r--r-- (644). Be careful with users being able to push php/other scripting and executable files up to your server.
Be careful with users being able to push js and html files up to your website.
Owned by the username you have for your webserver. Don't make root own files it has no business owning. Root is the adminstrator, not your webserver.
Have a look in your php.ini file for upload_tmp_dir =
回答2:
make a .htaccess with
<Files ^(*.jpeg|*.jpg|*.png|*.gif)>
order deny,allow
deny from all
</Files>
to allow only this files to be uploaded. And check with php function before upload in your code.
Moving the folder outside the www-root is good to. You can make apache the owner also.
source
来源:https://stackoverflow.com/questions/2958193/giving-upload-folder-these-permissions-safe-or-not