A friend gave me an uploading script, something like this:

<?
// $userfile is where file went on webserver
// $userfile_name is original file name
// $userfile_size is size in bytes
// $userfile_type is mime type e.g. image/gif

echo "Variables are:<br />";
echo $userfile." ".$userfile_name." ".$userfile_size." ".$userfile_type."<br /><br />";

if ($userfile=="none")
{
echo "Problem: no file uploaded";
exit;
}

if ($userfile_size==0)
{
echo "Problem: uploaded file is zero length";
exit;
}

$upfile = "../Media/Images/".$userfile_name;

if (!copy($userfile, $upfile))
{
echo "Problem: Could not move file into directory";
exit;
}

echo "<center><a href='../Media/Images/".$userfile_name."'>View Your Image</a></center><br />";
echo "Preview of uploaded file contents:<br><hr>";
echo $contents;
echo "<br><hr>";

?>

And the page linking to it has enctype="multipart/form-data" as a form attribute.

It seemed as if it would work nicely, but there is a permissions problem, giving me this error:

Warning: Unable to create '../Media/Images/testpicture.jpg': Permission denied in /path/imageup.php on line 34
Problem: Could not move file into directory

The "Problem" thing is from the script. Also, note that the lines aren't correct, though that should matter.

Does anyone know how I should change the permissions for this to work?

this is a dangerous script. first of all, it doesn't check the mime type to make sure you are uploading a jpg or gif only, which means someone could upload and run malicious script.

if you do want to get it working though, you'll need to assign 777 permissions to the upload directory. php operates as the apache user ("nobody" or "www") and does not have permission to create files in your file system unless you explicitely let it.

again, i would really be careful with this script though, don't let anyone just upload using it unless there's some more error checking done.

It will probably work with directory permissions 757 as well. As well as checking the mime type for image/jpeg, image/pjpeg or images/gif you should probably have a max file size limit too otherwise someone could try to flood your server with HUGE files.

If it's part of a system for password protected users you don't need to worry so much. but if it's publicly accessible you need to take steps to secure your server.

If you use Apache web server and it's running under nonody.nobody, I think the best way is to chown upload directory:

chown nobody.nobody [upload_dir]

And after that chmod it to 770:

chmod 770 [upload_dir]

This will not allow other users that have ssh access to the system to write to this directory.