0

I have a folder /var/www/html/images/ppic/50x or 100x (dependin on size) where user avatars are kept. When a user uploads a new avatar, it gets resized and moved to each different size folder.

I m getting the following permission errors: 

Warning: move_uploaded_file(images/ppic/144231007.jpg): failed to open stream: Permission denied in /var/www/html/settings.php on line 154

Warning: move_uploaded_file(): Unable to move '/tmp/phpi3oiJp' to 'images/ppic/144231007' in /var/www/html/settings.php on line 154

not moved

How do I set permissions to these folder in a way that will allow users to upload but not delete or mess with?

Ciprian
  • 3,066
  • 9
  • 62
  • 98

2 Answers2

0

try with this

sudo chmod 755 -R /directory_name
stackers
  • 385
  • 4
  • 18
0

which user owns the directory? try chown www-data:www-data /directory_name

Also placing user uploading files in a web accessible directory isn't great practice. Placing them somewhere outside of the web root and using a script to display them in the browser is safer.

Joe1992
  • 458
  • 5
  • 20
  • hmmm ... so where exactly would you place them? I don't know these things ... and what script? any tutorial links? or just a quick example would do. so the way I see it .. I can create a folder in /var/www/images for example ... and then how would I display them? now I just do ... `` ... something like that not sure if all the quotes are there ... Can I do something similar if the image isn't in /var/www/html ? – Ciprian Sep 15 '15 at 12:10
  • Just to be sure I mention this ... I only allow certain extensions to be uploaded, and I convert each image to jpeg format .. so it's not like they have control over the final image format. – Ciprian Sep 15 '15 at 12:15
  • Something along the lines of this answer: http://stackoverflow.com/a/258380/2304693 The problem with keeping uploads in a web accessible directory is that malicious users can upload non images and try to run them simply by browsing to them. If you're converting the images on upload before copying them to your web-accessible directory the risk is significantly lowered however I would still consider keeping them outside the webroot better practice – Joe1992 Sep 15 '15 at 12:17
  • as mentioned in the comments for the linked answer be careful of malicious users trying to traverse your directories using a script like the one in the example. excluding slashes and tildes (~) from the requested file is usually a good place to start. – Joe1992 Sep 15 '15 at 12:21