Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I added an enhancement to my companies website which allows users to apply for a job online and upload a resume, which is then emailed to a certain person where the uploaded file is sent as an attachment. I have limited the mime type uploads to only word documents or plain text files.
Does anyone know of any issues when allowing a user to upload a file to a server in PHP? Another words, could someone possibly enter some malicious script into the input box which is used to browse for the file on a users local machine?
let's say that my web site is under /usr/local/httpd/mySite or c:\inetpub\wwwroot\mysite
a good practice to upload files that you think might be harmful is to put them outside of your web root (virtual folder) so they can't be accessed from the web.
ex:
/some/other/path/to/files/myfile.doc or c:\some\other\path\to\files\myfile.doc