hi everyone image : ! i have a upload center and let user upload their images. i use linux and apache. i've heard(i don't anything about it) that apache(on linux) can limit a folder so that files of folder just can download but can't execute(if someone even upload a php file he can't run this). so i don't need some filters and let users upload anything they want. i have two questions : 1.is it true 2.how can do this. thank you in advance
chmod will stop a file from being executed but it will not stop php from reading, parsing and running a php file. You can get php to run a file by typing "php filename.php" on the command line or by simply requesting the file in a browser. The best way to stop this kind of attack is to check the mime-type of the file being uploaded as they upload it and unless it's a jpg, gif or png then delete it and give them an error message. Don't just check the extension because there are often ways around extension-based security. Extensions don't actually mean anything, they are just a convention we use to help understand what kind of file it is. Actually, now that I think about it, chmod 700 won't stop it being executed anyway... the user that owned the file could still execute it on the command line. 644 would be much safer privileges. 644 would allow anyone to read the file and only it's owner to write to the file.
Yes, definitely not 700 as it defeats the purpose of the script. 644, or 666 if users can edit/delete their uploads.