html upload file security
Moderator: General Moderators
html upload file security
How secure is the transmission of uploading files from an html form to a sever?
- If your users are connected via an https connection, that effectively eliminates any third party from snooping on the wire.
- The default for file uploads is into the /tmp directory. On a shared server, anyone else would probably be able to access that file via a php script. However, the /tmp directory is flushed somewhat regularly.
- If you need security on your files, move the uploaded file to your root as soon as it's uploaded. You can also change the owner on the file to stop others from snooping.
- If you are still worried, you can use mcrypt to encrypt the contents of the file while it's stored on the server. However, you'll likely need to store the encryption key somewhere - which would render encryption useless as a means of protecting from others on the server.
- If you're on your own server, the best way to protect the files from someone not hacking your entire server, is to make sure the files are stored below the server root. So, if the server root is /var/www/html/, store the files in /var/www, /usr/, /home/ or someplace that doesn't have /var/www/html/ in the root. This will, of course, stop people from even being able to access the file by typing in the fully qualified URI of the file.
- The default for file uploads is into the /tmp directory. On a shared server, anyone else would probably be able to access that file via a php script. However, the /tmp directory is flushed somewhat regularly.
- If you need security on your files, move the uploaded file to your root as soon as it's uploaded. You can also change the owner on the file to stop others from snooping.
- If you are still worried, you can use mcrypt to encrypt the contents of the file while it's stored on the server. However, you'll likely need to store the encryption key somewhere - which would render encryption useless as a means of protecting from others on the server.
- If you're on your own server, the best way to protect the files from someone not hacking your entire server, is to make sure the files are stored below the server root. So, if the server root is /var/www/html/, store the files in /var/www, /usr/, /home/ or someplace that doesn't have /var/www/html/ in the root. This will, of course, stop people from even being able to access the file by typing in the fully qualified URI of the file.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
In your script you can do several things
Check the extension of the file (do not allow certain extensions)
Check the mime type of the file
Rename the file to avoid special character input
Check the size of the file (if it's an image file, it should be no greater than let's say 500kb?)
Store it in a location where only you know the location
Only allow yourself read/write/execute access.
It really depends on how secure you need it.
Check the extension of the file (do not allow certain extensions)
Check the mime type of the file
Rename the file to avoid special character input
Check the size of the file (if it's an image file, it should be no greater than let's say 500kb?)
Store it in a location where only you know the location
Only allow yourself read/write/execute access.
It really depends on how secure you need it.