View Full Version : File upload directory outside of web path - bad security?

01-10-2008, 10:00 PM
I am wondering if, on IIS, it is bad practice to have a php script upload a file and place it outside the Inetpub folder -
for example, does it make a difference if I put the folder in D:\inetpub\wwwroot\sitefolder\uploads or if i put it in D:\folderhere

anyone have any insight?

01-10-2008, 10:28 PM
At face value, there are no problems. As long as you have your permissions setup correctly, people won't be able to get out of the directories they should be allowed into.

You could make a case for it adding security IF the folder is not web-accessible. That way, no one can get at the files once they have been uploaded unless they have file system access.

If it IS web-accessible, there could always be someone who decides that D:\folderhere is a great place to hide the confidential_financial_info.doc and accidentally makes it available to the world. You also have to worry about setting the permissions for this folder instead of sticking it in Inetpub and inheriting most of the permissions you need.