I originally asked this on Stack, thinking it's a basic-I-don't-understand-PHP question, but the answers I'm getting there indicate that it depends a lot on host specifics, so:
I'm trying to use this Dagon Design PHP form to help a local non-profit publication enable their readers to submit photos. I've got the "mailer" part working -- the notifications work fine -- but the "saving a file to a folder" part isn't functioning.
On the form page, the author says "the directory must have write permissions," but I'm not sure "who" is writing to that folder -- is this PHP script considered "Owner" when it saves something on my site? Or do I need to allow save permissions for Owner, Group and Others?
I'm not sure why the script isn't saving the photos, but this seems like a good place to start.
The page I'm clumsily trying to build is here, if that helps.
asked Sep 04 '12 at 08:18
On our system, your PHP processes run as your own user, so you don't need to give write permission to group or other.
If you believe that the problem you're having is related to permissions, then try using 711 or 755 on the directory to which you're trying to upload files, and ensure that you have ownership of that directory.
First off: Providing write access folders can be dangerous. The main reason being that if I (as an evil person) can write to that directory, I can write a script that lets me hack into your machine. You REALLY want to make sure that:
1) where-ever you're storing the files is somewhere that can't store something that could be run. (e.g. /$DOCROOT/photos since I could load a .php script and guess the path to run it.)
2) you run your server under an account like "nobody" that has permission to do very little on the machine. (So when someone breaks your security, they can't do much damage.)
That last one can be hard to do, particularly if you don't own the server you're running on.
Now, if your case, you wanted to know who to give write permissions to for the directory: (this presumes you're running Linux)
1) set the download destination directory to global write:
2) upload a file.
3) see who wrote the file:
You'll see something like:
In this case, the file "foo.bar" was written by user "jrconlin". In an ideal world, you'd change the owner of that directory to be "jrconlin", and bolt down permissions accordingly. Sadly, that's probably not going to be possible (again, unless you own the box and have super user privileges).
So, instead, try the following, (presuming you're running apache) Create a /path/to/upload/directory/.htaccess (note the "." at the front) containing:
This will prevent those scripts from being run. Obviously, this is not a perfect list, and you will need to add any additional files if you know or suspect them.