Join 307,026 PHP Programmers for FREE! Get instant access to thousands of PHP experts, tutorials, code snippets, and more! There are 2,204 people online right now. Registration is fast and FREE... Join Now!
So...I'm pretty sure just checking the file name is nowhere near secure enough, after trial and error, and it seems like the second approach has holes too. So, I was wondering, what is the risk of uploading any file name given, then stringently checking its format against the allowed ones? Is it possible that a malicious user could use those bad files against me before I get a chance to check and/or delete them? All the files I'd have to check are text with very particular layout.
Thanks RudiVisser, So, you're saying that all I have to do is place the files outside of the web root, and that makes them completely safe so no one can access them or try to run them? There must be a way around that, isn't there?
As long as the PHP files you've written in the web root are secure and do not allow file inclusion via a variable - You'll be fine.
You could even change permissions so that the web server's user account can only write files, and (for example) an FTP account can read them. That way there's absolutely no chance, even if you did allow unsecured file inclusion, PHP could access the files.
This post has been edited by RudiVisser: 5 Nov, 2009 - 01:54 PM
Thanks RudiVisser, Hmm, that's interesting, but I don't think I get it. If I change the file permissions so the server can only write files, how does it read the files it uploads, and how can I use those files for anything? (I'm on a Linux Fedora system, if that helps.)
It depends exactly what you want to do with the files.. What is it that you want to do??
If your users are simply uploading files that you retrieve via an FTP account, then that will solve your issue.
If your users are meant to redownload the files, you can make sure that they are not in any way executed by creating a "pass-thru" script that will take the filename as a parameter and use readfile and sending the content back as application/octet-stream with Content-Disposition: attachment headers.
There shouldn't be a problem if you don't allow execution on the files you upload. Simply allow the users to read/write to the folder and it should be fine. Then again, if you simply want to upload images, you could always check the type of file that's being uploaded ($_FILES['type']).
Thanks guys, Just to be clear, what I'm doing is downloading a file from the user, and then that file is used as input to a text interface program. Once the program which uses the data in the file is run, the file is deleted. So, the file isn't executed in any way; it's just read into this program.
Does that make sense? Does that mean I could just have only the server have permission to read, write, and execute that folder? Because, if the user wants to download one of his or her results files, the server would just pipe it back, right?
Well if you're just taking the input, you won't even need to resave the file out of the temporary directory anyway, just read it directly (from $_FILES['formfield']['tmp_name']).
This post has been edited by RudiVisser: 5 Nov, 2009 - 02:53 PM
Thanks RudiVisser, I'm so sorry it took me a bit to reply; I didn't realize you put up an answer. That looks like the right way to go, so thanks again for your help. Thanks, Zel2008
Forum Index:
Programming Help |
C and C++ |
VB6 |
Java |
VB.NET |
C# |
ASP.NET |
PHP |
ColdFusion |
Perl and Python |
Ruby |
Databases |
Other Languages |
Game Programming |
Mobile Development |
Software Development |
Computer Science |
Industry News |
Programming Tutorials |
C++ Tutorials |
Visual Basic Tutorials |
Java Tutorials |
VB.NET Tutorials |
C# Tutorials |
Linux Tutorials |
PHP Tutorials |
ColdFusion Tutorials |
Windows Tutorials |
HTML/JavaScript Tutorials |
CSS Tutorials |
Flash Tutorials |
Web Promotion Tutorials |
Graphic Design & Photoshop Tutorials |
Software Development Tutorials |
Database Tutorials |
Other Language Tutorials |
ASP.NET Tutorials |
Game Programming Tutorials |
WPF & Silverlight Tutorials |
| 
