upload security protection - do i need additional protection on a 777 folder

Question

I just started working with uploading files via php.

From my understanding you need to set the properties of the folder to 777 so anyone can upload to that location.

That's fine and i only obviously keep information there that is not sensitive, its basically images which are displayed back to the public.

However can someone not just run a delete statement if they know the image name to my server folder or is that only possible if the php file is on my server?

i.e delete myimage.png

Basically my question is other than the normal security precautions like limiting the upload of only .png, using basename etc do i need to take additional security measures to prevent someone deleting files in that folder or can that only be done from a script on my webserver?

I wont be using any post methods to delete images or anything like that but i'm just not sure if its possible to take advantage of a folder with 777 permission and do unauthorized stuff since i gave full access to the folder.

Answer 1

you can change folder permission 777 to 755 or 744.

Answer 2

By 777 you're actually giving the read/write/execute access to all the user of the machine where your server lives. Note that this does not mean even website visitors can read/write/execute directly. Its always your webserver (Apache) that does it.

However can someone not just run a delete statement if they know the image name to my server folder or is that only possible if the php file is on my server

If you're PHP scripts have holes then, yes. If your webserver has holes then, yes :)

do i need additional protection on a 777 folder

Yes, you can do with a more restrictive permission. Make the owner of the public upload folder to be apache (mostly www-data), set permissions of just 755, or may be 775 in case even the group wants to write to it.