File upload safety advice

g_force · February 6, 2010, 10:19pm

does anyone think this is not safe? - I’m testing to use it for client uploads

ini_set('upload_max_filesize', '2000K');
if (($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/pjpeg")
)
{
 if ($_FILES["file"]["error"] > 0)
 {
 echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
 }
 else
  {
   if($_FILES["file"]["size"] > 2048000){
   echo 'the file is too big';
   }
   else
   {
   echo "Upload: " . $_FILES["file"]["name"] . "<br />";
   echo "Type: " . $_FILES["file"]["type"] . "<br />";
   echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
   echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";
   }
  if (file_exists("uploads/" . $_FILES["file"]["name"]))
  {
  echo $_FILES["file"]["name"] . " already exists. ";
  }
  else
 {
 move_uploaded_file($_FILES["file"]["tmp_name"],
 "uploads/" . $_FILES["file"]["name"]);
 echo "Stored in: " . "uploads/" . $_FILES["file"]["name"];
 }

}
}
else
{
echo "Invalid file";
}
ini_set;
phpinfo();
var_dump($_FILES);

_thanks

rpkamp · February 6, 2010, 11:53pm

This looks pretty safe.
To further increase security you could use finfo_open to let PHP determine the mime type of the uploaded file, instead of relying on what the browser sent to PHP.
If you really want to go all out you could let GD open the image and save it again, which should remove all possible malicious code encoded in the image (believe me, it’s possible).

joebert · February 7, 2010, 2:37am

Considering you’re only dealing with images, you can probably rely on getimagesize to tell you if the file is a valid image or not.

That and the move_uploaded_file you’re already using should be a good start.

EastCoast · February 7, 2010, 6:06pm

It’s not safe at all.

You could upload a php file with a crafted header and it’ll sail through.
Also, even if you extend it to test for mime type, this can also be bypassed by a file padded with fake data to mimic the header of an allowed filetype.

You should at least force the file extension to a safe one so that even if a malicious file does get uploaded, it cannot be activated directly.

stonedeft · February 7, 2010, 7:05pm

As east Coast said it isn’t safe, I’ve been hacked before by a file uploded as an .flv file and when I tried to open that file in wordpad it’s a perfect php script. One way to combat this is to change the filename most preferably a random filename upon upload so the hacker can’t access his file.

g_force · February 7, 2010, 7:30pm

is it ok to put it into a hidden directory?

stonedeft · February 7, 2010, 7:56pm

Hidden Directory?? I don’t know if you can actually hide a directory. Do you mean a directory within the root of the server… outside public_html? Well I guess thats also good as the uploaded file can’t be access via http

g_force · February 8, 2010, 9:15am

no within public_html- but that can be viewed I’m guessing… alternatively I could make the filename encoded as EastCoast suggested…

How do you suggest this can be done?

_thanks to all

Topic		Replies	Views
PHP File Upload PHP	5	288	March 19, 2010
Checking an uploaded file's size PHP	10	11681	December 1, 2011
Need help for uploading file script on server PHP	5	881	October 31, 2014
Upload script help PHP	12	886	April 28, 2010
How to trouble shoot file upload? PHP	5	713	September 7, 2010

File upload safety advice

Related topics