My server was hacked due to my move_uploaded_file system which required 777 permissions. I can't seem to find a way to make it more secure for my life (if you know a way I'd really like to hear it.) People were not only uploading harmful shell files but also deleting every single file in the upload directory when the permissions were 777. I decided to try an ftp_put function for my upload system. But of course , its not working ! Here is my code: $ftp_server = "<website>"; $ftp_user_name = "<username>"; $ftp_user_pass = "********"; $destination_file = "allgames/swf/".$_FILES['swffile']['name']; $source_file = $_FILES['swffile']['tmp_name']; $swffilename = $_FILES['swffile']['name']; $swffiletmp = $_FILES['swffile']['tmp_name']; $uploadlocation = "rincludes/lang/"; $uploadfile = $uploadlocation.basename($swffilename); $firstmove = move_uploaded_file($swffiletmp, $uploadfile); if ($firstmove) { echo" Successful Move <br /> "; } // set up basic connection $conn_id = ftp_connect($ftp_server); // login with username and password $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass); // check connection if ((!$conn_id) || (!$login_result)) { echo "FTP connection has failed!"; echo "Connection Failed <br />"; exit; } else { echo "Connected succeeded<br />"; } ftp_pasv($conn_id, true); // upload the file $daupload = ftp_put($conn_id, $destination_file, $uploadfile, FTP_BINARY); // line 30 // check upload status if (!$daupload) { echo "FTP upload has failed!"; } else { echo "Uploaded $source_file to $ftp_server as $destination_file"; } ftp_close($conn_id); What im attempting to do is move an uploaded file to a directory with 777 permissions, then using ftp_put move it into the proper directory which has 755 write permissions. Everything works fine until the daupload part, which does not work at all. I've tried ftp_fput, changing tmp_names ftp_ascii and so many things but no matter what I do I cant get it to work! I'm willing to try a more secure move_uploaded_file function if you know of a way to do that as well, since move_uploaded file always, always worked for me...
The move_uploaded_file function is secure. It variables that are passed to it that are not secure and possibly usage of directory changing. I suggest not using the variables and using the $_FILES directly in the move_uploaded_file function. I can get it sorted out for you.