PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
I made a file upload utility. I am adding a filter to the uploaded filename to prevent bad people to move up the folder tree up to the root of the server.
Ex: Filename sent could be "..\..\..\index.htm". I think that may reach the root file.
olivierd wrote:thank you. seems to work. Can we assume this takes care of that security issue when using file upload to a server?
thanks for your input
That will control where the files go, sort of, but it doesn't control their types. You should decide what you're going to allow and only allow those file types to be uploaded. Don't do it the other way, disallowing things you don't want. Otherwise some sneaky hacker will float some obscure extension past you.
thanks dave, i have a filter for the accepted filetypes now. so combining these 2 methods seems fairly secure, well for what i am doing. If you are aware of any major security issues with uploading files, or our common coding mistakes for that, please share, i am looking into this more and more as i am building an upload tool. (very basic tool).