Secure upload

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
someberry
Forum Contributor
Posts: 172
Joined: Mon Apr 11, 2005 5:16 am

Secure upload

Post by someberry »

I have made an upload script, and at the moment I have checked against all the potential dangers that I can think of... for the moment.

I am currently:
- checking for errors ($_FILE['variable'][error])
- checking the size of the file (Can anyone reccomend a suitable max file size, I thought 200k would suffice)
- checking the MIME type
- checking the extension
- checking the file doesnt already exist

If all those are okay, then I move the file via move_uploaded_file. My main aim is to stop people uploading potentially dangerous scripts (To the server, site, and users), such as PHP, CGI, PERL, EXE etc. Does anyone else have any suggestions to how I can tighten the security even more, to make absolutely sure no potentially scripts are uploaded?

Thanks.
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

well it all depends on what your having the user upload. if its only a image for like a avatar then 200K is plenty. and if you want to be secure about it do getimagesize (i think that the function) and if it returns true then it really is a image if not then the user is trying to pull a fast one on you and you can slap them down with a error. but thats only images the rest there really isnt a way to verify what kind of file it truley is.
User avatar
cheatboy00
Forum Contributor
Posts: 151
Joined: Sat Jun 29, 2002 10:36 am
Location: canada
Contact:

Post by cheatboy00 »

how did you go about checking MIME type?
someberry
Forum Contributor
Posts: 172
Joined: Mon Apr 11, 2005 5:16 am

Post by someberry »

$_FILES['variable']['type'] for the header info.

"there really isnt a way to verify what kind of file it truley is"

So there is no way to tell if the file is really a PHP etc file? Is this actually realisticly possible to do, and if so, is there any way to combat it?

Thanks.
User avatar
Pyrite
Forum Regular
Posts: 769
Joined: Tue Sep 23, 2003 11:07 pm
Location: The Republic of Texas
Contact:

Post by Pyrite »

I would suggest having some virus/spyware/adware scanner on the server that actively checks the directory you upload to for malicious files.

Apart from that, server protection is best to make sure that files in the uploads directory cannot be executed and things like that.
someberry
Forum Contributor
Posts: 172
Joined: Mon Apr 11, 2005 5:16 am

Post by someberry »

I’m not as worried about files that can harm user’s computers, since it is their own risk whether or not they accept/run it (Although they shouldn’t be allowed to be uploaded in the first place). What I really want to stop is potentially dangerous scripts to the server, which can expose it, and the code which is on it (Each user will have their own account in which they can upload, not just image files, but js, htm, html, doc, css etc).

My main priority and philosophy is ‘prevention is better than cure’. I would preferably like to stop altogether these kinds of scripts being allowed onto the server, full stop.

Thanks.
someberry
Forum Contributor
Posts: 172
Joined: Mon Apr 11, 2005 5:16 am

Post by someberry »

Anyone got any ideas?
User avatar
phpScott
DevNet Resident
Posts: 1206
Joined: Wed Oct 09, 2002 6:51 pm
Location: Keele, U.K.

Post by phpScott »

what you could do is when the file is uploaded is to open up the permissions on the folder to allow writing to it but no execution. when the move has taken place reset the permisions to the file and folder to read only. Or just the folder to read only.
When a file is requested to be downloaded reopen the permsissions on the folder but not the files to allow the download then reset the permsisions agian.
Post Reply