What is the safe way to implement file upload in PHP?

what is the safe way to implement file upload in your server with PHP. Here is my situation..

1. i want to let users upload small avatar like image files in the website.
2. I tried setting upload folder 777 permission and i am afraid that it could be a serious security concern?
3. i tried setting permissions to 755 or 775 , but upload fails.
4. i am saving the images in the server and not storing in the database because of performance issues.

what is the best way to do this?

re: What is the safe way to implement file upload in PHP?

Hi. Welcome to TSDN!

The safest way to give PHP control over a folder without causing security issues is to have PHP create the folder itself. Use the mkdir function to create the folder, which will make PHP it's owner, allowing it write access but giving only read/execute access to anybody else.

Another safe way is to store the images outside the web-root, making it unreachable through the HTTP server. But that solution will require you script to be able to fetch and display the image when you want it displayed.
The first solution does not require this and will probably be a little faster for that reason.

re: What is the safe way to implement file upload in PHP?

In addition to Atli's suggestions, make sure that users can only upload image files.

re: What is the safe way to implement file upload in PHP?

Thanks atli :) You mean to say i have to use FTP functions in PHP or file system functions. If anybody could post a sample code, that would be great!

re: What is the safe way to implement file upload in PHP?

Yes and no. Although mkdir is a FTP command, it is also a PHP function, belonging the the File System Functions.

This is the example in the PHP documentation for the mkdir function:
The parent directory of the folder you want to create must be accessible to PHP so it may be necessary to use FTP to chmod 777 the parent directory. But you should revert back to 755 once the new folders have been created.

re: What is the safe way to implement file upload in PHP?

Heya, olddocks.

The trick is also to set the file's owner and group to the same owner and group that the webserver runs as (usually 'apache' or 'www').

Are you working on a professionally-hosted server, or are you developing on your own computer?

re: What is the safe way to implement file upload in PHP?

yes, i am a professional hosting on vps plan. Here is what i have planned to do to safely do a file upload.

1. Store images outside www root with 777 permission and then later read the image file with a php script like getimage.php?id=1982. Since i had used 777 i disallow running executable files there with .htaccess

[PHP]# secure directory by disabling script execution
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi .txt
Options -ExecCGI
[/PHP]

2. I will try using ftp function to upload with mkdir() function. Still, I will need to experiment with that/

3. Third option is storing small images in mysql. As i will be using small avatar like images in mysql, i dont think performance would be an issue there.

Nonethless, i am not taking any chances with the security matters. I will take my time with this. Any feeback or suggestions would be more than helpful.

BTW: This forum is great with PHP matters!