Best file permission for users to upload and delete files and folders

Question

1. Lets say I let people upload files on the server. Should I change the file name s after the upload ? if yes, how can I tell the about the file names later on , beacause in CMS I need tpo provide them with the url to images or doc files etc so they refer to them while producing text for the website.

2. I coded a program with which my users can navigate through some files and folders they can create folders and upload files of any extension inside the mentioned folders . Unfortinately my code creates all files and foldes with 777 permission. I wanna know What would happen if someone uploads a .php file inside a folder and runs it. Can he/she Delete every possible thing ? May you help me with right permission I should give to those files and folders. The uploader should know about the url where he/she has uploaded the image so while creating some content he can refer to them as url for images or office word documents. Please help me with security hole.

Thank you.

Answer 1

1. I suggest you create some database table as a reference to those file so that you can record the old name, and changing the name in file system to different one so that you will never overwrite an existing file with same name.Or you can even same file in DB instead of file system.
2. First thing is you should not allow user upload any executable files to your server, or at least you need to change the extension name to something else I think. And I don't think 777 is needed, you just need to make sure the folder r/w to the php/web server processor and that's should be enough for any user access them