Hi Leo,

Your bog standard file upload script (using PHP's file upload handling functions such as move_uploaded_file) requires that the destination directory is writable by whatever user Apache (assuming you're using Apache) is running as.

Normally, this is the user "apache".

Likewise, when PHP tries to chmod, it is also doing so as if it were the user "apache".

If you have shell access to your hosting account you should be able to run chmod from the command line, which would almost certainly be safer than having a script run that command on the whim of a user action.

Hi dmorison,

Ok so I just chmod 777 the image folder and it should be ok - told you I was thick ;)

The upload script isn't for every user, just the site admin so it should be safe enough.

Thanks

Leo

Since you're enabling uploads outside FTP, this could be a vulnerable area allowing hackers to break into your site if the script being used hasn't been written securely. Be sure it uses the correct MIME types and filters out executables. You can also place this in an .htaccess file right inside that image directory:

RemoveType .php .php3 .php4 .phtml

If your server is set up to run other scripts like Perl in the same area add their extentions to the list too. That way if an unauthorized user gets access to the upload script he won't be able to execute the code. It'll display as plain text instead.

Thanks to both of you.

I'll work on a filter on file extention to only allow certain type

Cheers

Leo