Memory App
Programming
 




// Restrict file types (pathinfo) | is|move _uploaded_file() // Rename files (uniqid) // Login and Moderate // Shell | no system | escapeshellargs|cmd() When you allow users to upload files to your website, you are putting yourself at a security risk. While nobody is ever completely safe, here are some precautions you can incorporate to make your site safer.

Check the referrer:

Check to make sure that the information being sent to your script is from your website. While this information can be faked, it's still a good idea to check. (1/7)

Restrict file types:

You can check the mime-type and file extension and only allow certain types to be uploaded.

<form enctype="multipart/form-data" method="post">
    <input type="hidden" name="MAX_FILE_SIZE" value="1000000" />
    Choose a file to upload: <input name="uploaded_file" type="file" />
    <input type="submit" value="Upload" />
</form> 

<?php
        // Check that we have a file
    if (!empty($_FILES['uploaded_file']) && $_FILES['uploaded_file']['error'] == 0) {

        // Check if the file is a type permited
        $filename = basename($_FILES['uploaded_file']['name']);
        $pathinfo = pathinfo($filename);
        $extension = $pathinfo['extension'];
        if (!in_array($extension, array('jpg', 'jpeg', 'gif', 'bmp'))) {
            echo 'File type not permitted';
        }
    }
?>
(2/7)

Rename files: You can rename the files that are uploaded.


<?php
    if (!empty($_FILES['uploaded_file']) && $_FILES['uploaded_file']['error'] == 0) {
        $filename = basename($_FILES['uploaded_file']['name']);

        echo $new_filename = uniqid() . "_" . $filename;
            // 502913f491ac3_Chrysanthemum
    }
(3/7)

Change permissions

Change the permissions on the upload folder so that files within it are not executable. (4/7)

Login and Moderate

Making your users login might deter some deviant behavior. (5/7)

Shell

system() - Do not user system() escapeshellargs() - Use to escape arguments escapeshellcmd() - Use to escape commands (6/7)

Email

Do not provide open relays Open the SMTP port only if essential Delay incomming connections http://php.about.com/od/advancedphp/qt/upload_security.htm

Questions



Top Reference > Programming
0/0 (80)  
Not Logged