Announcement

**Floris** · Sat 22 Mar '08, 9:14pm

Yes, there's a slight security issue with this, chmod 777 is not recommended. However, you could place a htaccess file inside this directory I believe, and you can also move the directory outside of the public_html/ directory.

/.
/..
/attachments
/public_html
/tmp

**Golzarion** · Sun 23 Mar '08, 8:15am

I moved the attachment folder (with ch mode 777) outside of the public_html/ directory.

Is that enough ?

what code should I put in htaccess file? the codes just not allow anybody to upload and execute php or html files ?

Can I be sure that by moving attachments outside of the public_html/ directory there would be no security issue ?

**Floris** · Sun 23 Mar '08, 8:38am

When it's outside the public_html dir you don't need .htaccess.

**Golzarion** · Sun 23 Mar '08, 9:41am

Originally posted by Floris View Post

When it's outside the public_html dir you don't need .htaccess.

I 'm not sure just move it outside the public_html is enough for security of attachment folder !

at least when I use shared server there can be a security issue ? is it right?

Isn't it better not to move that folder outside public_html but protect it by .htaccess?
Would you please helping about .htaccess codes?

I don't know what should I consider about .htaccess codes and security matters.

Thank you .

**Floris** · Sun 23 Mar '08, 10:08am

everything inside public_html/* is what you can see from a browser
everything outside it.. you can't. So it's secure.

**kentaurus** · Sun 23 Mar '08, 10:52am

.htaccess suggested contents

Originally posted by .htaccess

deny from all

that should be enough

it's better to move it off the public_html, tough

**Golzarion** · Sun 23 Mar '08, 12:31pm

Originally posted by Floris View Post

everything inside public_html/* is what you can see from a browser
everything outside it.. you can't. So it's secure.

Thank you any way!

Originally posted by kentaurus View Post

.htaccess suggested contents
Originally Posted by .htaccess
deny from all
that should be enough

it's better to move it off the public_html, tough

Exactly that is the best way ! but there is only two problems ! when I used the code :

" deny from all" no body could see images that has been attached !!!

I believe that is the best way... except for showing attached images .

and about the second problem ..... let's talk after the first solved...

**Golzarion** · Thu 27 Mar '08, 2:29am

Finally I found the solution !

but it is strange that nobody here mentioned it ! I think there are many who know but they do not want describe .. in order to hide security of their own forums....

anyway It's solved.

Announcement

Attachment folder & security

Attachment folder & security

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment