SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Evangelist
    Join Date
    May 2006
    Posts
    443
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Making file uploads safe

    I'm working on a site where users can create an account and upload .jpgs, .zips and .pdfs. Normally I don't worry too much about malicious content getting uploaded as it's the client that does the uploading—and they wouldn't want to bring their own site down.

    My question is: should I be worried about security? I'm checking the file extensions and the file headers (Content-type) but I don't think that's 100% secure. If someone 'disguised' a script as a file upload (.jpg for example) how hard would it be for the uploader to execute it? I guess even if they uploaded something they wouldn't be able to execute it unless your PHP scripts were programmed to do so (e.g. include() uploaded files), which my site doesn't.

    I'm also uploading the files to a password protected folder (so they wouldn't know its name or location) and then—when the user needs to access it—reading it in and specifying the appropriate file headers through a PHP script.

    Is there any more that I can do other than the above? Should I be worried?

  2. #2
    SitePoint Addict Ramiro S's Avatar
    Join Date
    May 2003
    Posts
    321
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Interesting. I have something similar. In fact I think almost the same: checking content type with php functions, uploading to some folder and using a function to mask the url (loading content and displaying with other name)

    I think if you want to get more picky you could check for specific things when you load the file into a variable... for example checking for the php open tag or for some javascript just in case someone is loading something hidden. Also remove execution permission for the folder / files.

    I'm not sure what else can be done.
    Quasar - Web Development - Free Avatars

  3. #3
    SitePoint Addict
    Join Date
    Aug 2007
    Location
    GR
    Posts
    352
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If the files are only for download you are good.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •