Page 1 of 1

Safe upload

Posted: Sun Mar 25, 2007 10:00 am
by user___
Hi guys,
I have an uploader but I do have a lot of doubts about how to check files which are going to be uploaded. I let users upload anything but php, html, js, and css.

I know that $_FILES is not secure enough.

How to upload them securely?

Posted: Sun Mar 25, 2007 10:04 am
by John Cartwright
I know that $_FILES is not secure enough.
There is nothing wrong with using $_FILES. Are you refering to the mime type sent along with files to determine the kind of file they have uploaded?

Reply

Posted: Sun Mar 25, 2007 11:43 am
by user___
Yes, I mean MIME types.

Posted: Sun Mar 25, 2007 12:28 pm
by aaronhall
The security issues arise when you allow users to upload and directly access files on your server. Checking for mime-types on upload won't help you determine if a file is a malicious PHP file (it's all plain text). What you should be doing is storing files in a non-public directory on the server side. When a user goes to download one of their files, a script should be set up to open the file with file_get_contents() and echo the contents of that file to the user, making sure that you send along the appropriate headers. The headers should look something like:

Code: Select all

header("Content-Type: application/text\n");
header("Content-Disposition: attachment; filename=whatever_you_want.xxx");
The content-type header should be sent to whatever $_FILES['userfile']['type'] is set to on upload (see http://www.php.net/features.file-upload).