Safe upload

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Safe upload

Post by user___ »

Hi guys,
I have an uploader but I do have a lot of doubts about how to check files which are going to be uploaded. I let users upload anything but php, html, js, and css.

I know that $_FILES is not secure enough.

How to upload them securely?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

I know that $_FILES is not secure enough.
There is nothing wrong with using $_FILES. Are you refering to the mime type sent along with files to determine the kind of file they have uploaded?
user___
Forum Contributor
Posts: 297
Joined: Tue Dec 05, 2006 3:05 pm

Reply

Post by user___ »

Yes, I mean MIME types.
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

The security issues arise when you allow users to upload and directly access files on your server. Checking for mime-types on upload won't help you determine if a file is a malicious PHP file (it's all plain text). What you should be doing is storing files in a non-public directory on the server side. When a user goes to download one of their files, a script should be set up to open the file with file_get_contents() and echo the contents of that file to the user, making sure that you send along the appropriate headers. The headers should look something like:

Code: Select all

header("Content-Type: application/text\n");
header("Content-Disposition: attachment; filename=whatever_you_want.xxx");
The content-type header should be sent to whatever $_FILES['userfile']['type'] is set to on upload (see http://www.php.net/features.file-upload).
Post Reply