I'm migrating a site to a new hoster - Crystaltech.com - and I'm trying to make a file upload script work. The script uses the simple move_uploaded_file() function (or copy(), I've tried both), but the copy fails because of write permissions on the directory I'm trying to upload to.

In my Crystaltech control panel, I can edit and add file permissions on any directory, and I've been told by a customer service rep that if I give "Everyone" write permissions, the script will work (which it does), since my application falls under that user group. However, I don't want this to be a universally writable directory. I can add a user and give that user write permissions to the directory, but my question is: How do I then utilize that authentication with PHP? Is it even possible? Or is there simply the write permissions my script has as an "everyone" user, and that's it? I figure there must be some kind of practical application to being able to control these file permissions through my host's control panel, or they wouldn't bother including it.

Two choices (no more), either upload the files to the directory using FTP or find a host that cares enough about security to run PHP under SuExec.

I'm in a shared hosting environment; can what you're saying be done in that case? In any case, PHP has to run under the same user for any site on the same server, doesn't it?

And a related question: If I do make the directory world-writable, does that truly mean anyone, anywhere could write to that directory with an HTTP Put? Or does it simply mean that scripts running anywhere in my shared server environment can write to the directory?

In any case, PHP has to run under the same user for any site on the same server, doesn't it?No! From Apache.org: "The suEXEC feature provides Apache users the ability to run CGI and SSI programs under user IDs different from the user ID of the calling web-server".

If I do make the directory world-writable, does that truly mean anyone, anywhere could write to that directory with an HTTP Put? Or does it simply mean that scripts running anywhere in my shared server environment can write to the directory?It means anyone with access to the file system can write to that directory.

Even files set to 0644 are very insecure in a shared environment. It means other users of the server can read Database passwords etc from your PHP files.

Okay, here's another question. On this same site, I ran a ColdFusion script to do the same thing. Without the folder permissions allowing write access for everyone, the CF script did the file upload. (In fact, a customer service rep at Crystaltech thought this shouldn't be happening - that the folder would have to be world-writable for CF to work too.)

And in researching I've run across the idea that, for ASP.NET, the web.config file can be utilized to solve this very problem. Now, finally, to the question: Is PHP the only language where this is such a barrier? Are there ways around it with ASP and CF?

I don't know anything about any of the software you are mentioning. Is any of it open source?