Hi all, I hope this post is appropriate for this forum. Here goes:
My goal is the following: Allow users to upload files to my website/server (for storage puposes only).
My intended implementation: Accepting uploads via HTTP POST (with PHP).
My concern: That a malicious user will write a script that uploads tons of files continuously until my server's hard disk is full and crashed.
Some precautions that I intend to take:
1) setting a max upload size in the php.ini file
2) Running the PHP script under SSL, and authenticating the user first (the problem is that we want to allow "trial" members...so even authenticated users might be malicious)
3) Have a separate disk partition which is where all uploaded files go to. Think of it as a "loading dock." All uploads go here first, and then a separate PHP script rumages through the loading dock, verifying that files are ok and that there's enough space before adding them to the main partition of our server.
Is #3 a good idea? Is it necessary? Perhaps the temporary location for PHP uploads would suffice as a loading dock? But should I stick this dock on a separate partition? I'd appreciate any comments to my promposed implementation/precautions, or alternat implementations. Thanks!
php upload, security concerns
Moderator: General Moderators
- Ixplodestuff8
- Forum Commoner
- Posts: 60
- Joined: Mon Feb 09, 2004 8:17 pm
- Location: Queens, New York
- Pointybeard
- Forum Commoner
- Posts: 71
- Joined: Wed Sep 03, 2003 7:23 pm
- Location: Brisbane, AUS
- Contact:
-
rhunter007
- Forum Newbie
- Posts: 5
- Joined: Sat Jul 26, 2003 3:57 pm
Thanks for the tips. Now I've thought of a more basic question actually...Let's say I run the PHP script in an SSL secured directory. How do I actually restrict uploads to authorized users? I know that I can write something like:
But how does this prevent an unauthorized user from dumping files in the PHP upload temp directory?
And a related question: What if I go to some random site and they have, say, an index.php file for their main page. What if I craft a HTTP POST request with a file and send it to that index.php? What will happen? Will it dump the file in the temp directory?
Thanks for the help.
Code: Select all
if (authCheck()) {
... move_uploaded_file(...) ...
}And a related question: What if I go to some random site and they have, say, an index.php file for their main page. What if I craft a HTTP POST request with a file and send it to that index.php? What will happen? Will it dump the file in the temp directory?
Thanks for the help.