Safe and Secure File Uploader function

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
blizzard_jdf
Forum Newbie
Posts: 3
Joined: Mon Jul 31, 2006 8:02 pm

Safe and Secure File Uploader function

Post by blizzard_jdf »

I am developing a method which will take a posted file, perform a series of checks and then write the file to the server (Linux) if it passes all of the checks.

Currently I perform the following checks:
  • Check to make sure the filesize is not too big
    Check the files extension
Not quite sure what else to put. I have a very fast server so it okay if it performs a lot of checks. better safe than sorry. I was going to check the mime type but my server does not have that extension installed. I was also thinking of using the is_file() function to make sure a proper file is uploaded and the is_executable() function to make sure that no executable files are uploaded (Currently I am only uploading images).

I'd like to make my upload function very robust so I am sure that their are other checks which need to be performed. Also I have heard that apache can also report errors on file uploads. Though I am not sure how to do this.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

is_file() and is_executable() are file system level checks, not operating system level ones.. ;)

We've talked about uploading a lot, so seeking out previous talks of uploading may be a good idea.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

You could try uploading (without putting it on the server) different types of file to get there exact $_FILES['whatever']['type'] and limit your uploading to those specific types

Note, however, that I've tried this and you get small things like image/jpeg and image/pjpeg (from Photoshop) and things like that, but it ensures you get the correct file types.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The type provided in $_FILES is not reliable at all. It is provided by the user-agent performing the upload and is not checked by PHP for validity.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

MIME magic is good for sniffing out the file type.
Post Reply