Introduction
When working with files in PHP, security is extremely important. Incorrect file permissions can expose sensitive data, allow unauthorized access, and even lead to serious vulnerabilities.
For example:
- A wrongly configured upload folder can allow hackers to upload malicious files
- Sensitive configuration files may become publicly accessible
- Incorrect permissions can break your application
In this tutorial, you will learn how file permissions work, how PHP handles them, and how to secure your files properly.
What You Will Learn
- What file permissions are
- How permission numbers like 644 and 755 work
- How to use
chmod()in PHP - How to check file permissions
- Best practices for secure file handling
- Common mistakes to avoid
What Are File Permissions?
File permissions define who can read, write, or execute a file.
On Linux-based servers (used by most hosting providers), permissions are represented using numbers like:
- 644
- 755
- 600
- 777
Understanding Permission Numbers
Each permission number has three digits, representing:
- Owner
- Group
- Public
Each digit is calculated using:
| Number | Permission |
|---|---|
| 4 | Read |
| 2 | Write |
| 1 | Execute |
How Permissions Work (Example)
Example: 644
- Owner → Read + Write (4 + 2 = 6)
- Group → Read (4)
- Public → Read (4)
👉 This is the most common permission for files
Example: 755
- Owner → Read + Write + Execute (7)
- Group → Read + Execute (5)
- Public → Read + Execute (5)
👉 Common for folders
Common File Permission Settings
| Permission | Usage |
|---|---|
| 644 | Files (recommended) |
| 755 | Folders |
| 600 | Sensitive files |
| 777 | ❌ Never recommended |
Why You Should Never Use 777
Setting permission to 777 means:
- Anyone can read
- Anyone can write
- Anyone can execute
⚠️ This creates a major security risk, especially on shared hosting.
Changing File Permissions in PHP
You can change permissions using chmod().
Example
chmod("example.txt", 0644);
Note: Hosting providers may restrict permission changes.
Checking File Permissions in PHP
You can check whether a file is readable or writable.
Example
if (is_readable("example.txt")) {
echo "File is readable.";
}
if (is_writable("example.txt")) {
echo "File is writable.";
}
Understanding File Paths (Security Tip)
Always use safe file paths.
$file = __DIR__ . "/example.txt";
👉 Using __DIR__ prevents path-related issues and improves security.
File Security Best Practices
🔒 1. Never Use 777 Permissions
- Avoid full access permissions
- Always use minimal required access
🔒 2. Validate File Uploads
- Check file type
- Check file size
- Rename uploaded files
- Block executable extensions (
.php,.exe)
🔒 3. Protect Sensitive Files
- Store config files outside public folders
- Use
.htaccessrules - Restrict direct access
🔒 4. Avoid Exposing File Paths
Never show full file paths in error messages.
🔒 5. Use Proper Folder Structure
Keep:
- Uploads
- Logs
- Config files
👉 This improves both security and maintainability
Real-World Secure Setup
A good production setup looks like:
- Files → 644
- Folders → 755
- Sensitive files → 600
- Upload folder → 755 (with validation)
👉 This balance ensures:
- Security
- Proper functionality
Common Security Mistakes
- Allowing unrestricted file uploads
- Writing files without permission checks
- Storing passwords in text files
- Ignoring server file permission rules
FAQs
Usually 644 for files and 755 for folders.
Yes, using the chmod() function (if server allows it).
Because it allows anyone to modify your files.
Use 600 to restrict access.
Summary
- File permissions control access to files
- Use safe permission values
- Validate and secure uploaded files
- Avoid exposing sensitive data
Practice Task
- Create a file and set permission using
chmod() - Check if the file is readable and writable
- Try different permission values (644, 755)
- Observe how access changes
In the next tutorials, you’ll work on practical projects based on Core PHP concepts that will test your understanding and help improve your PHP development skills.
Test your Core PHP skills through practical projects: