Jump to content

Private folder that only PHP can access


kael.shipman

Recommended Posts

Hey everybody,

 

This doesn't exactly fit under Apache concerns, but it's a general webserver question:

 

I need to create an image folder that isn't browse-able by the public but that PHP can still read from and write to. I've experimented a little bit with permissions but just don't know enough about what the permissions mean to really use them with confidence. It's a public web server, so I know I don't have unlimited control, but it's also got a lot of permissions control that it does relinquish to the administrator. I just don't want to risk opening up the system to an easy attack.

 

Anyway, the structure is like this:

 

root/

->Database

->ftproot

->htdocs

  |->index.php

  |->[rest of site files]

->original_images

  |->[imagefiles]

 

 

I don't want users to be able to type in a url and view images from the original_images folder, but I need PHP to be able to copy uploaded files to it and read files from it into memory.

 

From my tests, it looks like it's not currently accessible by url, and PHP can read from it. PHP can also modify files that are already there, so if original_images/test.jpg exists and I call move_uploaded_file($_FILE['image']['tmp_name'], '../original_images/test.jpg') from /index.php, it works great and overwrites that file with the new image information. However, if the file doesn't already exist, calling the above move_uploaded_file() function throws an error ("Unable to access file...."). chmod() throws the same error regardless of whether the file exists or not.

 

The hosting company allows folder permissions to be changed for the anonymous user, but then it also allows you to create users and assign permissions for certain users. Is there a way for PHP to access the folder using a specific username/password instead of anonymous or PHP or whatever it uses currently?

 

Thanks in advance for any help.

 

-kael

Link to comment
Share on other sites

Thanks for the resource, but that's not exactly what I'm looking for. I'm not planning on ever displaying these images anywhere on my site. They're simply for php to use as starting points for other images. Therefore, theft by downloading or hotlinking isn't a concern for me since I've determined that the images can't be accessed by a url.

 

What I need is advice on how I can work my folder/user permissions for PHP to be able to look above the web root directory and into this images folder without compromising any server security.

Link to comment
Share on other sites

Sorry for the delayed reply here

 

effigy: I admit, I'm not really great in the realm of interpreting actual server and file configurations. The hosting company has this stupid FTP management web interface and it blocks my actual FTP program from viewing or editing permissions. Here's what I can divine from their interface:

 

Valid options for permissions are "none", "read", "change" and "full control", and each folder has a field for administrator (that's always set to "full control and isn't editable"), a field for anonymous that seems not to be able to receive "full control", and a box where you can add users and set permissions for each of those. What I see is that my original_images folder is set up as "change" for anonymous, which should be enough, I think. That seems to work just fine when it's under htdocs, but it doesn't work when it's above htdocs. That's when it starts displaying the weird problems that I noted before (like being able to overwrite files that are already there, but not being able to create new ones).

 

steve: Thanks for the .htaccess tip. I think I'll probably end up using that method if the hosting company allows me to use that feature. I'd still like to learn a little bit more about the specifics of managing permissions, though, so if I could do it without a server exception, that would be ideal.

 

Thanks to both of you!

 

-kael

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.