Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    Regular Coder
    Join Date
    Jul 2006
    Posts
    110
    Thanks
    1
    Thanked 0 Times in 0 Posts

    File upload directory outside of web path - bad security?

    I am wondering if, on IIS, it is bad practice to have a php script upload a file and place it outside the Inetpub folder -
    for example, does it make a difference if I put the folder in D:\inetpub\wwwroot\sitefolder\uploads or if i put it in D:\folderhere

    anyone have any insight?

  • #2
    Regular Coder
    Join Date
    Jan 2003
    Posts
    867
    Thanks
    4
    Thanked 8 Times in 8 Posts
    At face value, there are no problems. As long as you have your permissions setup correctly, people won't be able to get out of the directories they should be allowed into.

    You could make a case for it adding security IF the folder is not web-accessible. That way, no one can get at the files once they have been uploaded unless they have file system access.

    If it IS web-accessible, there could always be someone who decides that D:\folderhere is a great place to hide the confidential_financial_info.doc and accidentally makes it available to the world. You also have to worry about setting the permissions for this folder instead of sticking it in Inetpub and inheriting most of the permissions you need.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •