Hello and welcome to our community! Is this your first visit?
Register
Results 1 to 3 of 3
  1. #1
    Obsessed Veteran Adam's Avatar



    Join Date
    Nov 2004
    Location
    UK / England
    Posts
    17,271

    Securing file uploaders.

    Just some general security tips.

    1. Have an array of allowed extensions .jpg, .gif etc. If no match is found, fail. {use php's in array function to check}

    - Remember to grab the file extension by creating a substring, ensure you lower case all the characters before checking!

    2. Rename the file to something random - unique name. Remember time is not good enough as someone could upload a file at the same time (rare but I've seen it happen). Create a function to generate a name, check a database to see if it can find the same name, if so generate new one. do { } while (mysql_num_rows($query)>1); etc. I prefer a database check over php's function "file_exists" due to it's nature of caching results.

    Renaming the file also prevents other filename tricks like php.jpg.

    3. CHMOD the directory to 755 (sometimes works) else 777.

    4. Add a .htaccess file inside the upload directory to prevent direct script execution of files like php, cgi etc. Only allow requests for files you permit! This is your last bit of protection If a file does get uploaded here, at least .htaccess will prevent the script from running. Ensure you test the .htaccess rules first.

    - You could also upload the files outside of the web root to prevent any direct access. When a user requests a file you can create a php script to push the file out through headers.


    Log all uploads in a database just in case. Filename, date, ip etc...

  2. #2
    Fresh Newbie
    Join Date
    Jul 2009
    Posts
    4

    Re: Securing file uploaders.

    Another easy way to secure image files is to utilize PHP's imagecreatefromjpeg() function. There are also imagecreatefromgif() and imagecreatefrompng() for different file types. Enter a file as the parameter, and if the function is able to successfully draw the image (no errors), it's valid.

    Just something to add to the list.

  3. #3
    Obsessed Veteran Adam's Avatar



    Join Date
    Nov 2004
    Location
    UK / England
    Posts
    17,271

    Re: Securing file uploaders.

    Indeed but it is possible to hide code inside images.


 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •