That's the correct operation, because the PHP script doesn't actually execute, it gets read by the PHP interpreter (so just needs read permission, not execute). I'd say what you should be doing is not allowing anonymous FTP uploads directly to a web accessible directory. You've got a number of options.
One possibility is to set up the FTP server to upload somewhere else (not web-accessible), and then write a simple shell script that runs every few minutes via cron to copy recognised image files into the web root.
Alternatively, if you only have a small number of trusted users, setting up password based FTP access (rather than anonymous) would probably help.
|