[solved]Stop users running PHP scripts they've uploaded
Posted: Tue May 01, 2007 8:25 am
I'm making an online file storage app, which lets users upload any file they like and store it.
If they write a php script with the right include path to the config.php file (which will be easy as I am going to release the source when it's finished), they can currently upload it and list out all the passwords (or they can write a script which delete folders, or whatever).
Is there any way to stop php scripts (and anything else for that matter) from running in these 'user' folders, while still letting them get at the information that's there?
I've fiddled with chmod, but setting the file to read+write only (ie. no excecute) didn't make any difference.
I'm trying to avoid forcing them to download the file to see it, so if there are other options, that would be great.
If they write a php script with the right include path to the config.php file (which will be easy as I am going to release the source when it's finished), they can currently upload it and list out all the passwords (or they can write a script which delete folders, or whatever).
Is there any way to stop php scripts (and anything else for that matter) from running in these 'user' folders, while still letting them get at the information that's there?
I've fiddled with chmod, but setting the file to read+write only (ie. no excecute) didn't make any difference.
I'm trying to avoid forcing them to download the file to see it, so if there are other options, that would be great.