Announcement

Collapse
No announcement yet.

Attachment folder & security

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Attachment folder & security

    attachments out of database & ch mode777 security?

    hi there

    I decided to move the attachments out of the database for some reasons ....

    But as far as I know I have to disable php Safe mode. and also I have to set folder's change mode to 777.

    Aren't these dangerous ? or risky ?

    how can we secure folder ch mode 777 ?

    how can we have this folder upper above root ? or secure it by using htaccess file?
    Last edited by Golzarion; Sat 22 Mar '08, 12:08pm.
    http://forum.golzarion.com

  • #2
    Yes, there's a slight security issue with this, chmod 777 is not recommended. However, you could place a htaccess file inside this directory I believe, and you can also move the directory outside of the public_html/ directory.

    /.
    /..
    /attachments
    /public_html
    /tmp

    Comment


    • #3
      I moved the attachment folder (with ch mode 777) outside of the public_html/ directory.

      Is that enough ?

      what code should I put in htaccess file? the codes just not allow anybody to upload and execute php or html files ?

      Can I be sure that by moving attachments outside of the public_html/ directory there would be no security issue ?
      Last edited by Golzarion; Sun 23 Mar '08, 8:21am.
      http://forum.golzarion.com

      Comment


      • #4
        When it's outside the public_html dir you don't need .htaccess.

        Comment


        • #5
          Originally posted by Floris View Post
          When it's outside the public_html dir you don't need .htaccess.
          I 'm not sure just move it outside the public_html is enough for security of attachment folder !

          at least when I use shared server there can be a security issue ? is it right?

          Isn't it better not to move that folder outside public_html but protect it by .htaccess?
          Would you please helping about .htaccess codes?

          I don't know what should I consider about .htaccess codes and security matters.

          Thank you .
          http://forum.golzarion.com

          Comment


          • #6
            everything inside public_html/* is what you can see from a browser
            everything outside it.. you can't. So it's secure.

            Comment


            • #7
              .htaccess suggested contents

              Originally posted by .htaccess
              deny from all

              that should be enough it's better to move it off the public_html, tough
              CemZoo Wiki - The complete anime encyclopedia
              CemZoo Foros - Spanish Anime & Gaming Community (also browse our archive)

              Comment


              • #8
                Originally posted by Floris View Post
                everything inside public_html/* is what you can see from a browser
                everything outside it.. you can't. So it's secure.
                Thank you any way!

                Originally posted by kentaurus View Post
                .htaccess suggested contents
                Originally Posted by .htaccess
                deny from all
                that should be enough it's better to move it off the public_html, tough
                Exactly that is the best way ! but there is only two problems ! when I used the code :

                " deny from all" no body could see images that has been attached !!!

                I believe that is the best way... except for showing attached images .

                and about the second problem ..... let's talk after the first solved...
                Last edited by Golzarion; Sun 23 Mar '08, 12:41pm.
                http://forum.golzarion.com

                Comment


                • #9
                  Finally I found the solution !

                  but it is strange that nobody here mentioned it ! I think there are many who know but they do not want describe .. in order to hide security of their own forums....

                  anyway It's solved.
                  http://forum.golzarion.com

                  Comment

                  widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                  Working...
                  X