If you're using a script you founf on the web, it'spossible that it has a check in the code that queries file extensions and only allows certain ones through.

Without seeing the code in question or the error messages you're getting it's impossible to say: there's no fundamental issue with uploading bmps with move_upload_file

The bitmaps are possibly too large. Your server will have a maxmimum file size limit for uploads and and BMPs are relatively large files.

I may be sort of hijacking this thread, but to add something to the possible solution. Look for a call to the GetImageSize function, and see if the code checks the #2 element of the GetImageSize's result array, as in $result=GetImageSize($theUploadedFile). You'll probably see a subsequent 'if' statement that looks something like:

 if ($result[2]<=3) {
 ...
 }

which would allow GIFs, JPGs, and PNGs but not BMPs for which GetImageSize returns a filetype value of 6. If you change the test value in this 'if' statement to 6, then BMPs will be allowed. You'll also be allowing Flash/Shockwave and Photoshop files, but with luck nobody will ever notice or attempt to upload those.

Now then, my problem is apparently common, but I can't find a workable solution. Its the permissions problem. Several hosts I work on won't allow PHP to create/rename/alter files unless the file or directory's permissions are set to 0777, so live file uploads to public directories are impossible without leaving a huge security hole. I'm a newcomer to PHP, so I don't know how to set the user mode to owner or whatever is required to allow my code to work around this problem. My current implimentation does an initial move_uploaded_file to an inaccessible directory where I confirm its a real image file, and that's when I need to move it to the public directory... and I can't. Any advice or references would be appreciated. Thanks.

it would be better if you create a folder to keep those uploaded images outside of your public directory. and then you can use the 'fopen' to read from that new directory path. it will reduce the security holes become outsider are not be able to access the directory that are not reside in the public directory... how you think about it?

I'm obviously missing a step or two or three because I'm doing something along the lines you suggest. I initially point move_uploaded_file to a directory that is not available to the world via HTTP. Once the file is in that protected directory, I have tried copy() and rename() to move it to the public directory, but that's not working. What's compounding the problem is that the host I'm working on for this project has some severe restrictions. I can't even get Perl to open/create a file in the public directory unless I set the permissions to 0777. The code for this is all pretty straightforward and I've done it many times in the past, one way or another, but this severe security situation is beyond my experience. This particular script oryresides in an administration directory, and I've seen some references to (essentially) blessing a directory to bypass these issues, but no concrete code. Any hints?

if your permission set to 775, can it allow you to do upload?

You cant do file uploading/manipulation without setting permissions in the directory to 777. End of story.

Exactly what security issues are you expecting with the required permissions change?

For that security problem, i not really sure about it.

by the way, i have other issue regarding the upload images or file.

If my upload file size is 10Mb, in php.ini the "upload_max_filesize = 2M" & "post_max_size=8M".
Even i set the maximum file size can't over than 2M but the error message didn't show out.

If the user try to upload a too bigger file then the upload procedure will fail even if u have established an error message.
How to avoid this problem?