Hey guys,
I have a small script that uploads a file sent thru a form by a user to a local folder /img/
The only way I was able to make it work was to use chmod777 on the folder. 755 didnt do it.

1) Is this a secured way to do it?
2) Im trying to make the script upload the file on the main domain. (The script is currently running on a subdomain)
I cant figure out the path that I need to put in the move_uploaded_file.

Any help is greatly appreciated!

You did well.
1) It depends, if you do a good validation to what get uploaded up there, no it's not a big security risk. However if another account gets hacked he can probably write whatever he wants on that directory . Also if you don't do good valdiation, for example
if you upload images, a coder can add php code to the exif comments section and execute code from accessing the file from http. Vary rare though as the .jpg extension should be parsed as a script.

2) Again it depends. I would propose to store the file in a direcvtory, behind the root public directory so it's not accessible.

The path should be: /home/username/public_html.
Or /home/username/ if you decide to upload it behind root http dir.

You can also get the path with this:
echo @realpath(dirname(__FILE__)).'/'
This should output full local path to script currently executed.

hi steve,
thanks for your quick reply
the thing is that I want to be able to display those images within the website which is on the main domain.

i was able to get the full path for both by using getcwd();

path1 (domain path): /var/www/vhosts/mydomain.com/httpdocs/images/
path2 (subdomain): /var/www/vhosts/mydomain.com/subdomains/sub/httpdocs/images/

now the weird part is that if i use path2 it works fine and it uploads the file into the /images/ folder on the subdomain. However if i use path1 i get an error defined by me "Error: A problem occurred during file upload!"
I've set both uploading folders to chmod 777

What does $_SERVER['DOCUMENT_ROOT']; says?

exactly the same thing as getcwd();
if i run it on the main domain:
/var/www/vhosts/mydomain.com/httpdocs/images/

if on the subdomain:
/var/www/vhosts/mydomain.com/subdomains/sub/httpdocs/images/

Is your code like this:

move_uploaded_file($_FILES['image']['tmp_name'], getcwd().'images/name.jpg')

?

nope the code looks like this:
move_uploaded_file($_FILES['image']['tmp_name'], $path2 .$filename)

where $path2="/var/www/vhosts/mydomain.com/subdomains/sub/httpdocs/images/";

if i change that to $path1 which is /var/www/vhosts/mydomain.com/httpdocs/images/ it no longer works

If you have ownership of both direvctories and chmod'ed them to 777,
then you should check to see which function fails. If the move_uploaded_file()
fails it could be an issue with open_basedir or safe_mode in PHP.

Usually this functions produces a WARNING and you can see the full error message on the page.

I don't have any other suggestions.

ooooooops my bad i just noticed:
$_SERVER['DOCUMENT_ROOT']; returns:
/var/www/vhosts/mydomain.com/httpdocs

even if i run it in the /images/ folder of mydomain.com

ok, so i did some more debugging:

if i move both files to mydomain.com
like:
www.mydomain.com/test1.php <- input form
www.mydomain.com/test2.php <- processing form

it works fine and it uploads the file into the /images/ folder

If i put both files on:
sub.mydomain.com/test1.php
sub.mydomain.com/test2.php

it uploads the file just fine into the:
sub.mydomain.com/images/ folder

but if i try to change the path from
sub.mydomain.com/test2.php to try to upload the file on mydomain.com/images/ it fails.

paths are:
path1: /var/www/vhosts/mydomain.com/httpdocs/images/
path2: /var/www/vhosts/mydomain.com/subdomains/sub/httpdocs/images/

I'm lost

I suspect that it's because you're trying to write a file to a directory outside the webroot of your script. As far as http://sub.mydomain.com/test2.php is concerned, /var/www/vhosts/mydomain.com/subdomains/sub/httpdocs/ is the root of its world. There is nothing outside of that.

I haven't tried it, so it may not work, but you could try symlinking an images directory in the subdomain httpdocs directory to the main one (at the server level, beneath the apache interface) and that might let it work for you.

If you put the validation and perform the file uploading it is a fine one.Also the file upload security will be based on the file size and file type.If you want to move the file to a home directory you mention the home directory path or the full site path.This will help you

You'll want to make sure you're not being stopped by php's safe mode and/or open_basedir.

Also, you can get more info on the error by sticking this at the top of your script:

ini_set('track_errors', 1);

PHP will then store error messages in $php_errormsg.

You can then try to get more details on why the move is failing with:

if (!move_uploaded_file($source, $dest) {
echo "error: $php_errormsg";
}