[UPHPU] secure(ish) php writable directory

Orson Jones orson.uphpu at bookstore.usu.edu
Tue Oct 2 22:34:43 MDT 2007


I am building the ability for authenticated users to create php files
and upload graphics. These would then be served by the server.

More details. The php files are automagicly generated by form input
(that doesn't allow php code) This is heavily filtered/escaped. I am
fairly confident in this part (security of code generated.) The php
files will be served by include($file), then calling functions defined
within the file. The php files are also designed so that if they were to
be served directly, they would not output anything.

I haven't started on the graphics upload yet, but it would be served the
same way. (through my php program, not directly by apache)

So, there is no reason apache needs to see the uploaded/created files,
but php does need to see them. (ok, they are usually the same user, but
it's the idea I'm going for.) This is on a standard cheap linux hosting
server for the time being.

I am wondering what setup you recommend for doing this type of thing.
Where do you save the files? How do you configure permissions? Can/How
do you validate images? Etc.

Thanks,
Orson


More information about the UPHPU mailing list