NYCPHP Meetup

NYPHP.org

[nycphp-talk] PHP MySQL File Upload Help

Brian O'Connor gatzby3jr at gmail.com
Thu Apr 27 21:58:33 EDT 2006 

Ah I see, thanks for the insight, greatly appreciated.  I'll contact my
hosting company to find out the details and make a decision based on the
facts.

On 4/27/06, csnyder <chsnyder at gmail.com> wrote:
>
> On 4/27/06, Brian O'Connor <gatzby3jr at gmail.com> wrote:
> > This is the way I currently upload some images to my website now.  I
> really
> > have no idea how safe this is, so if its unsafe, please let me know.
> >
> > // FTP configuration
> >     $ftp_server = 'myftpaddr';
> >     $ftp_user_name = 'myuser';
> >     $ftp_user_pass = 'mypass';
> >
> >     // Connect
> >     $conn_id = ftp_connect($ftp_server);
>
> [snip]
>
> >
> >  // upload the file
> >         $upload = ftp_put($conn_id, $destination_file, $source_file,
> > FTP_BINARY);
> >
> > ftp_close($conn_id);
>
>
> Ah, that ftp solution.
>
> By using a localhost ftp connection, you can save the files as your
> login user and avoid both world-writeable directories and undeleteable
> (because owned by apache) files.
>
> Those are big pros. There are also some big cons, depending on your
> situation.
>
> First, we all know that ftp is an insecure protocol, right? This isn't
> an issue if the ftp server is localhost, but if you are making
> connections over a network you are potentially exposing your password
> to anyone with access to the packets.
>
> Second, and more importantly, you are potentially exposing your login
> credentials to anyone else on the shared server with read access to
> your script. This is the fundamental problem with shared hosting, and
> it applies to database credentials as well. That seems like a bigger
> risk (since all of your files are accessible) than just having a
> world-writeable directory (where only uploaded files are accessible).
>
> The convenience of having the uploaded files owned by you rather than
> by the webserver may still outweigh the security issues, but you have
> to make that call.
>
> Not all shared servers are alike, of course. If you have any question
> about whether other users on the box could read your scripts, ask your
> hosting company.
>
>
> --
> Chris Snyder
> http://chxo.com/
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> New York PHP Conference and Expo 2006
> http://www.nyphpcon.com
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>



--
Brian O'Connor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20060427/cbb83ee2/attachment.html>

More information about the talk mailing list