bustya
06-18-2008, 02:16 AM
I'm trying to secure a writable directory used to store user-submitted images. My file uploader is only available to members (username/password protected), but someone is deleting the writable directory's contents and they're doing it without the aid of my script. So I've been reading up on what I can do to prevent this.
I've found two options.
1. Add a sticky bit to the directory, but I'm not sure this will suffice.
2. Use a script to chmod the directory (http://us2.php.net/manual/en/function.chmod.php#71485) writable before the image is uploaded then chmod it back afterwards.
I really like the second option but I'm a little scared because it involves including my ftp username and password in a script. Sure I might be able to secure the directory but how risky is this fix? Is it possible someone can read this file and get my ftp login details?
What if I give the ftp_connect + chmod script a random name and use includes so that it's not directly accessed? Will it be secure enough to use?
I've found two options.
1. Add a sticky bit to the directory, but I'm not sure this will suffice.
2. Use a script to chmod the directory (http://us2.php.net/manual/en/function.chmod.php#71485) writable before the image is uploaded then chmod it back afterwards.
I really like the second option but I'm a little scared because it involves including my ftp username and password in a script. Sure I might be able to secure the directory but how risky is this fix? Is it possible someone can read this file and get my ftp login details?
What if I give the ftp_connect + chmod script a random name and use includes so that it's not directly accessed? Will it be secure enough to use?