SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Addict khuramyz's Avatar
    Join Date
    Oct 2005
    Location
    Manchester, UK
    Posts
    296
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    virus in upload file type csv

    Hello everyone,

    I am making a contact list management utility in which we are allowing users to upload there CSVs comprising of there contacts. These CSV files will be checked upon a rigid criteria (name, address, phone, email, etc.). If the rows are correct then they will be inserted into the db.

    Now, to the real question, We are limiting our users to upload only CSV files and this will be done through checking the last 3 characters of the uploaded file. If they are csv then ok otherwise discard. But, what if the file was originally something else and its extension was changed. If we read that file, is there any chance that a hidden virus or macro be run on the server. I am sorry, i am not being very elaborative, its because I dont much know how to ask this question.

    I would really love you gurus to help me out on this one.

    Cheers,
    Khuram

  2. #2
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you check only file extension or mime type, your users are able to upload everything they want, however, it's generally not possible to execute uploaded files on the server, unless it's configured to do so. Nevertheless you should always check file content and make sure it's what you expect it to be.

  3. #3
    SitePoint Addict khuramyz's Avatar
    Join Date
    Oct 2005
    Location
    Manchester, UK
    Posts
    296
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi stereofrog,

    I think I can understand the first part where servers are not configured to run any executable. but how do we check file contents for malicious part. I mean I can simple open it in text mode and read it line by line. Is there something else that you would like to share regarding this. Please pardon my ignorance. Also, can you enlighten how to avoid SQL injection in this case.

    regards

  4. #4
    SitePoint Wizard stereofrog's Avatar
    Join Date
    Apr 2004
    Location
    germany
    Posts
    4,324
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No, you shouldn't (and cannot) check for the malicious code, just make sure the file is what you want, like you said in your first post:
    Quote Originally Posted by khuramyz View Post
    These CSV files will be checked upon a rigid criteria (name, address, phone, email, etc.).

  5. #5
    SitePoint Addict khuramyz's Avatar
    Join Date
    Oct 2005
    Location
    Manchester, UK
    Posts
    296
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Great. Thank you bro. You have been great help.

    Regards


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •