Page 1 of 1
Safe upload
Posted: Sun Mar 25, 2007 10:00 am
by user___
Hi guys,
I have an uploader but I do have a lot of doubts about how to check files which are going to be uploaded. I let users upload anything but php, html, js, and css.
I know that $_FILES is not secure enough.
How to upload them securely?
Posted: Sun Mar 25, 2007 10:04 am
by John Cartwright
I know that $_FILES is not secure enough.
There is nothing wrong with using $_FILES. Are you refering to the mime type sent along with files to determine the kind of file they have uploaded?
Reply
Posted: Sun Mar 25, 2007 11:43 am
by user___
Yes, I mean MIME types.
Posted: Sun Mar 25, 2007 12:28 pm
by aaronhall
The security issues arise when you allow users to upload and directly access files on your server. Checking for mime-types on upload won't help you determine if a file is a malicious PHP file (it's all plain text). What you should be doing is storing files in a non-public directory on the server side. When a user goes to download one of their files, a script should be set up to open the file with
file_get_contents() and echo the contents of that file to the user, making sure that you send along the appropriate headers. The headers should look something like:
Code: Select all
header("Content-Type: application/text\n");
header("Content-Disposition: attachment; filename=whatever_you_want.xxx");
The content-type header should be sent to whatever $_FILES['userfile']['type'] is set to on upload (see
http://www.php.net/features.file-upload).