kael.shipman Posted January 21, 2008 Share Posted January 21, 2008 Hey everybody, This doesn't exactly fit under Apache concerns, but it's a general webserver question: I need to create an image folder that isn't browse-able by the public but that PHP can still read from and write to. I've experimented a little bit with permissions but just don't know enough about what the permissions mean to really use them with confidence. It's a public web server, so I know I don't have unlimited control, but it's also got a lot of permissions control that it does relinquish to the administrator. I just don't want to risk opening up the system to an easy attack. Anyway, the structure is like this: root/ ->Database ->ftproot ->htdocs |->index.php |->[rest of site files] ->original_images |->[imagefiles] I don't want users to be able to type in a url and view images from the original_images folder, but I need PHP to be able to copy uploaded files to it and read files from it into memory. From my tests, it looks like it's not currently accessible by url, and PHP can read from it. PHP can also modify files that are already there, so if original_images/test.jpg exists and I call move_uploaded_file($_FILE['image']['tmp_name'], '../original_images/test.jpg') from /index.php, it works great and overwrites that file with the new image information. However, if the file doesn't already exist, calling the above move_uploaded_file() function throws an error ("Unable to access file...."). chmod() throws the same error regardless of whether the file exists or not. The hosting company allows folder permissions to be changed for the anonymous user, but then it also allows you to create users and assign permissions for certain users. Is there a way for PHP to access the folder using a specific username/password instead of anonymous or PHP or whatever it uses currently? Thanks in advance for any help. -kael Quote Link to comment Share on other sites More sharing options...
effigy Posted January 21, 2008 Share Posted January 21, 2008 How about this? Quote Link to comment Share on other sites More sharing options...
kael.shipman Posted January 21, 2008 Author Share Posted January 21, 2008 Thanks for the resource, but that's not exactly what I'm looking for. I'm not planning on ever displaying these images anywhere on my site. They're simply for php to use as starting points for other images. Therefore, theft by downloading or hotlinking isn't a concern for me since I've determined that the images can't be accessed by a url. What I need is advice on how I can work my folder/user permissions for PHP to be able to look above the web root directory and into this images folder without compromising any server security. Quote Link to comment Share on other sites More sharing options...
effigy Posted January 22, 2008 Share Posted January 22, 2008 What are the permissions, owner, and group of original_images? What user and group does Apache run as? Are you in its group? Quote Link to comment Share on other sites More sharing options...
steviewdr Posted January 22, 2008 Share Posted January 22, 2008 chmod 777 original_images cd original_images vi .htaccess #### deny from all #### Php and apache will still be able to read/write to this folder. -steve Quote Link to comment Share on other sites More sharing options...
kael.shipman Posted January 26, 2008 Author Share Posted January 26, 2008 Sorry for the delayed reply here effigy: I admit, I'm not really great in the realm of interpreting actual server and file configurations. The hosting company has this stupid FTP management web interface and it blocks my actual FTP program from viewing or editing permissions. Here's what I can divine from their interface: Valid options for permissions are "none", "read", "change" and "full control", and each folder has a field for administrator (that's always set to "full control and isn't editable"), a field for anonymous that seems not to be able to receive "full control", and a box where you can add users and set permissions for each of those. What I see is that my original_images folder is set up as "change" for anonymous, which should be enough, I think. That seems to work just fine when it's under htdocs, but it doesn't work when it's above htdocs. That's when it starts displaying the weird problems that I noted before (like being able to overwrite files that are already there, but not being able to create new ones). steve: Thanks for the .htaccess tip. I think I'll probably end up using that method if the hosting company allows me to use that feature. I'd still like to learn a little bit more about the specifics of managing permissions, though, so if I could do it without a server exception, that would be ideal. Thanks to both of you! -kael Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.