Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Here is what I use to upload profile pictures to a folder. I know this isn't secure yet. The folder's permission is set to 777 because that is the only way I could make it work.
Let me know what needs to be added/changed to keep hackers away.
The first think is to use move_uploaded_file() instead of copy() because it does security checks. See the manual for that function for more info about uploads. There is also a whole section of the manual about Handling file uploads - http://us.php.net/manual/en/features.file-upload.php
As I said before, the folder's permission is 777. If I change it, not only does my uploading code not work, but the pictures don't display on the website. The way it is now, can someone upload files to that folder without using my website? My main concern is that someone will upload a bunch of junk to the folder, or overwrite someone else's picture with an unwanted one. Or perhaps they can delete other's photos.
condoravenue1 wrote:The way it is now, can someone upload files to that folder without using my website? My main concern is that someone will upload a bunch of junk to the folder, or overwrite someone else's picture with an unwanted one. Or perhaps they can delete other's photos.
No, you need access to a file that allows for file uploading to your server (or access to the webserver like an FTP account). Same goes for deleting / overwriting. Just a point on overwriting, it will be better to create new file names, should there be an upload ability on your site, in that way, the overwriting issue is pretty much resolved.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering