Hi guys,
I have an uploader but I do have a lot of doubts about how to check files which are going to be uploaded. I let users upload anything but php, html, js, and css.
I know that $_FILES is not secure enough.
How to upload them securely?
Safe upload
Moderator: General Moderators
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
- aaronhall
- DevNet Resident
- Posts: 1040
- Joined: Tue Aug 13, 2002 5:10 pm
- Location: Back in Phoenix, missing the microbrews
- Contact:
The security issues arise when you allow users to upload and directly access files on your server. Checking for mime-types on upload won't help you determine if a file is a malicious PHP file (it's all plain text). What you should be doing is storing files in a non-public directory on the server side. When a user goes to download one of their files, a script should be set up to open the file with file_get_contents() and echo the contents of that file to the user, making sure that you send along the appropriate headers. The headers should look something like:
The content-type header should be sent to whatever $_FILES['userfile']['type'] is set to on upload (see http://www.php.net/features.file-upload).
Code: Select all
header("Content-Type: application/text\n");
header("Content-Disposition: attachment; filename=whatever_you_want.xxx");