PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Thu Oct 17, 2019 6:40 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Mon Aug 01, 2011 1:53 pm 
Offline
Forum Newbie

Joined: Mon Aug 01, 2011 1:46 pm
Posts: 2
I'm creating a simple upload script so that clients can upload information about potential projects (such as pdf's, cad drawings, etc.) to my server instead of email (the size of these files are sometimes too big for email)

Here's what I have:

Client Side
Syntax: [ Download ] [ Hide ]
<form enctype="multipart/form-data" action="script.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="10000000" />
<ul>
<li class="form"><label for="variable">Choose a file to upload: </label></li>
<li class="form"><input name="variable" type="file" /><br /></li>
<li class="form"><input type="submit" value="Upload File" /></li>
</ul>
</form>
 


Server Side
Syntax: [ Download ] [ Hide ]
<?php
$uploaddir = './upload/'; // Relative path under webroot
$uploadfile = $uploaddir . basename($_FILES['variable']['name']);
if (move_uploaded_file($_FILES['variable']['tmp_name'], $uploadfile)) {
echo "<p>File uploaded successfully</p>";
} else {
echo "<p>File uploading failed.  Please use your browser's back button to return to the upload form.</p>";
}
?>
 


Now, of course this would be normally vulnerable. It looks to me, though, that I can set my upload folder permissions to 700 and be safe.

Am I wrong thinking this way? Is it possible that the server will somehow execute a file automatically? (Because I don't see a way that this could cause harm)


Top
 Profile  
 
PostPosted: Tue Aug 02, 2011 2:31 am 
Offline
Forum Contributor
User avatar

Joined: Mon Dec 27, 2010 8:58 am
Posts: 134
Apply a filter to not allow uploading of php,pl etc files on server. Accept only those files which you want by checking their extension.
yes, changing folder and file permission do the trick.


Top
 Profile  
 
PostPosted: Tue Aug 02, 2011 1:41 pm 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Fri Sep 02, 2011 3:53 am 
Offline
Forum Contributor
User avatar

Joined: Thu Oct 29, 2009 6:48 am
Posts: 239
Location: UK
You also might want to enforce a server-side max file size as well as a client-side filter.


Top
 Profile  
 
PostPosted: Thu Nov 24, 2011 4:51 pm 
Offline
Briney Mod
User avatar

Joined: Mon Jan 19, 2004 7:11 pm
Posts: 6446
Location: 53.01N x 112.48W
@ !social_experiment: You don't need to call is_uploaded_file() if you're using move_uploaded_file(), as the latter does the same kind of checking as the former.

Storing the files outside the document root is a must. If users upload .php files, storing the files in the web root could cause problems.

_________________
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.


Top
 Profile  
 
PostPosted: Thu Nov 24, 2011 5:19 pm 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
Ok; thanks, i was unaware of that :)

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group