This question has probably come up before. First of all, let me say...I am a complete beginner when it comes to PHP. Please dumb down your responses if you can lol I'll try my best to keep up.
I have a webform that allows users to upload files and sends them using PHP Post. I've already built in client side "extension validation" that runs when the submit button is pressed
I have a few questions regarding server side security and validation.
1.) Is it better to allow users to upload files to a secure directory on the server via the webform or to do as I am doing now with attaching the files and sending in email via PHP Post?
2.) Is it possible, using PHP, to check the mime-type of a file before its attached to email to make sure that it is really an image file? (The files are being uploaded via webform and sent as attachments using the PHP POST method, I would assume that there has to be a way to validate the mime-type using PHP before the POST operation begins or completes?)
3.) Is mime-type validation the most secure way on the server side to verify file contents?
4.) If I decide to allow users to upload files to a secure directory on the server, will it be possible, using PHP, to automatically create a subfolder/subdirectory named after one of the data entries made by the user on the webform, and have the image files placed in that subdirectory (and set permissions on the subdirectory)?
Thanks in advance!
Don
mime-type validation
Moderator: General Moderators
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: mime-type validation
I don't know the purpose of this, so, I don't know what you want to happen and what not to happen. In both cases, the uploaded files are seen by you.slanderman wrote:1.) Is it better to allow users to upload files to a secure directory on the server via the webform or to do as I am doing now with attaching the files and sending in email via PHP Post?
Not entirely. You can make sure the file behaves as an image (displays as an image in image editors and viewers) by applying image filters. Typically people try to resize the file.slanderman wrote:2.) Is it possible, using PHP, to check the mime-type of a file before its attached to email to make sure that it is really an image file? (The files are being uploaded via webform and sent as attachments using the PHP POST method, I would assume that there has to be a way to validate the mime-type using PHP before the POST operation begins or completes?)
No.slanderman wrote:3.) Is mime-type validation the most secure way on the server side to verify file contents?
Sure, I see no problems.slanderman wrote:4.) If I decide to allow users to upload files to a secure directory on the server, will it be possible, using PHP, to automatically create a subfolder/subdirectory named after one of the data entries made by the user on the webform, and have the image files placed in that subdirectory (and set permissions on the subdirectory)?
Re: mime-type validation
A valid image file can still contain code and execute
How is this possible? Consider this
if you put that in a file called image.php it will run as PHP and the "23jklsjxdf023u4" string will simply be output to the browser. Imagine "23jklsjxdf023u4" was some binary data producing a valid jpeg file. I have seen some of these craftily constructed images, usually they are a picture of nothing, random noise or solid color but still execute code. Applying an image resize would likely corrupt the PHP but the important thing is to rename the file to .jpg and store it outside of web-root. Even then someone could socially engineer your users into saving the file and renaming it to .exe for example
How is this possible? Consider this
Code: Select all
23jklsjxdf023u4
<?php
echo 'foo';- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: mime-type validation
We would need to know what you do with those files. If you just want someone to send you some files through a form and they are emailed to you, the script does not really need to check anything about the contents of the file - your anti-virus should do that. However, if the files are publicly accessible, then you do need to pay attention to it.