777 dir file write problem

[Pyrozz]

I've been using php for quite a while, but recently I was hacked. ):  The thing is, I had a folder set to 777, because this was the only way I could save images and files into it with php. I had a script that made a security image for registering and it saved it into this directory, but I guess this hacker from turkey found out and put his own php files in there, and the rest doesn't need explaining.  But I need to know how to save files in a directory without the directory's permission's being set to 777.

[kenrbnsn]

Put the directory outside of the webroot path, so that even if some php files got stored in it, there would be no way to execute them.

 

Ken

[Pyrozz]

But then I wouldn't be able to display the pictures. I'm not just storing files, I need them to be public, but I want only the php scripts that I write to be able to write files in the directory.

 

Or can I grab the files from the root directory and output them by request via php script?

[kenrbnsn]

You can use your own PHP script to get the files with no problem.

 

Ken

[MadTechie]

You could have a script to load up the images ie

 

<?php
header('Content-Type: image/jpeg');
$img = imagecreatefromjpeg("/private/images/".$_GET['jpg']);
imagejpeg($img);
imagedestroy($img);
?>

 

however you should check the files before uploading them..

 

[Pyrozz]

But then I wouldn't be able to display the pictures. I'm not just storing files, I need them to be public, but I want only the php scripts that I write to be able to write files in the directory.

 

Or can I grab the files from the root directory and output them by request via php script?

[MadTechie]

Ermm read last 2 posts (excluding yours)

[Pyrozz]

Erm, sorry my phone was being stupid and posted that twice. I read the posts, big help. Thanks!

[Pyrozz]

Just a follow up...

 

I used your advice, this works great, I am surprised I did not do this before (I'm such a noob).

 

But I did a little research, and to avoid opening unwanted images, I actually just outputted the 64base encoding into the HTML.

So something like this:

$outfile= "File location on a 777 dir out of public view";
imagegif($im,$outfile); //$im is the image that I rendered in the script
imagedestroy($im);
$ff = fopen($outfile,"rb",0); //So I open the file I just made
echo "<IMG border=0 SRC=\"data:image/gif;base64,
".chunk_split(base64_encode(fread($ff,filesize($outfile))))."\" name=secimg>";

and then this outputs something like:

<IMG border=0 SRC="data:image/gif;base64,
R0lGODdhcwAYAOMAAAAAAIAAAIAAAKBgYIgYGKh4eLioqICAgMDAwJAwMJhISLCQkAAA//8A/wD/
/////ywAAAAAcwAYAAAE/hDISau9OOvNu99HKI5kaZ5oqq5se0pHgMwyPSM1fuf87ttAXbA3/AmP
RKSReIApi9CnNEldWqNVrK8JOGi/02sYnB2beVwv2VAwlN9iODlOn6XlOMJgKiAQAgkKCgEFWAYL
SIhuPwtZCXhyaWczjwQGUwYGA4QFBTwLCUgCQIMznjsLljIGj6gKk3OSZwYEOK9hA5tLlkIChDaq
M6UIbog6Ba00l1Odi2SyZ7cBy1S5zDTIjTu1OgalBNo2A6WgVQV/CgSnYHd1ybpYhU/rOIV/pj0F
m/I9CpsKiKgkCIigViQncAzOuAdl2BNfC2UUKJWrBwGHPRLAm2IsAC84y7LeJOgUIF0yJQOrpFzw
SobBgUgUhKqiLkujARMhQcsySNA+cAIJDplYj4aCQqNslCNK5WiYi4AUsoORMJHURFhqMcxTbkeC
S4CEItkzRRrMg12iDRn5ZGu1ljv8dTsJCEq4Jxt/TQp5BeO2IsGgDBDAzxRhGmfjFqFlbh3dODut
XH2TtEoqIsP80ujoo5DKR4JgIWg3p7RoOc5OI9AHyQ7COqpNt5YNuwdf2rhj656NJHJu3sBrC4+S
xoXx48iTKzfxobnz59Cjb4gAADs=
" name=secimg>

 

 

And ta-da, now nobody even knows where those security images are being saved.