html upload file security

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
nincha
Forum Contributor
Posts: 191
Joined: Fri Mar 28, 2003 12:30 pm
Location: CA, USA

html upload file security

Post by nincha »

How secure is the transmission of uploading files from an html form to a sever?
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

wow, there are so many variables involved with that question...

SSL?
Server Type?
Shared Hosting?
PHP script used?
Location of files on server?
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

type of files allowed
user permissions
folder permissions
...list goes on

I think the answer is "as safe/secure as you make it"
8O
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Post by shiznatix »

what i think the real QUESTION is - how many people hate you online?
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

damn it, I was gonna add that one to my list...











8O
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

- If your users are connected via an https connection, that effectively eliminates any third party from snooping on the wire.

- The default for file uploads is into the /tmp directory. On a shared server, anyone else would probably be able to access that file via a php script. However, the /tmp directory is flushed somewhat regularly.

- If you need security on your files, move the uploaded file to your root as soon as it's uploaded. You can also change the owner on the file to stop others from snooping.

- If you are still worried, you can use mcrypt to encrypt the contents of the file while it's stored on the server. However, you'll likely need to store the encryption key somewhere - which would render encryption useless as a means of protecting from others on the server.

- If you're on your own server, the best way to protect the files from someone not hacking your entire server, is to make sure the files are stored below the server root. So, if the server root is /var/www/html/, store the files in /var/www, /usr/, /home/ or someplace that doesn't have /var/www/html/ in the root. This will, of course, stop people from even being able to access the file by typing in the fully qualified URI of the file.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

In your script you can do several things

Check the extension of the file (do not allow certain extensions)
Check the mime type of the file
Rename the file to avoid special character input
Check the size of the file (if it's an image file, it should be no greater than let's say 500kb?)
Store it in a location where only you know the location
Only allow yourself read/write/execute access.

It really depends on how secure you need it.
Post Reply