MemoryRefresh!

Security / File uploads     File uploads



Questions Answers 0%

Pages   0 from 91
Questions   0 from 142

Reset


// Restrict file types (pathinfo) | is|move _uploaded_file() // Rename files (uniqid) // Login and Moderate // Shell | no system | escapeshellargs|cmd() When you allow users to upload files to your website, you are putting yourself at a security risk. While nobody is ever completely safe, here are some precautions you can incorporate to make your site safer. * Check the referrer: Check to make sure that the information being sent to your script is from your website. While this information can be faked, it's still a good idea to check. * Restrict file types: You can check the mime-type and file extension and only allow certain types to be uploaded.
<form enctype="multipart/form-data" method="post"> <input type="hidden" name="MAX_FILE_SIZE" value="1000000" /> Choose a file to upload: <input name="uploaded_file" type="file" /> <input type="submit" value="Upload" /> </form> <?php // Check that we have a file if (!empty($_FILES['uploaded_file']) && $_FILES['uploaded_file']['error'] == 0) { // Check if the file is a type permited $filename = basename($_FILES['uploaded_file']['name']); $pathinfo = pathinfo($filename); $extension = $pathinfo['extension']; if (!in_array($extension, array('jpg', 'jpeg', 'gif', 'bmp'))) { echo 'File type not permitted'; } } ?> * Rename files: You can rename the files that are uploaded.
<?php if (!empty($_FILES['uploaded_file']) && $_FILES['uploaded_file']['error'] == 0) { $filename = basename($_FILES['uploaded_file']['name']); echo $new_filename = uniqid() . "_" . $filename; }
* Change permissions: Change the permissions on the upload folder so that files within it are not executable. * Login and Moderate: Making your users login might deter some deviant behavior. Shell system() - Do not user system() escapeshellargs() - Use to escape arguments escapeshellcmd() - Use to escape commands Email Do not provide open relays Open the SMTP port only if essential Delay incomming connections php.about.com
1) How can you protect against malicious file uploads?





2) How can you protect against shell attacks?




3) For email security, you must always open SMTP port







// Restrict file types (pathinfo) | is|move _uploaded_file() // Rename files (uniqid) // Login and Moderate // Shell | no system | escapeshellargs|cmd() When you allow users to upload files to your website, you are putting yourself at a security risk. While nobody is ever completely safe, here are some precautions you can incorporate to make your site safer. * Check the referrer: Check to make sure that the information being sent to your script is from your website. While this information can be faked, it's still a good idea to check. * Restrict file types: You can check the mime-type and file extension and only allow certain types to be uploaded.
<form enctype="multipart/form-data" method="post"> <input type="hidden" name="MAX_FILE_SIZE" value="1000000" /> Choose a file to upload: <input name="uploaded_file" type="file" /> <input type="submit" value="Upload" /> </form> <?php // Check that we have a file if (!empty($_FILES['uploaded_file']) && $_FILES['uploaded_file']['error'] == 0) { // Check if the file is a type permited $filename = basename($_FILES['uploaded_file']['name']); $pathinfo = pathinfo($filename); $extension = $pathinfo['extension']; if (!in_array($extension, array('jpg', 'jpeg', 'gif', 'bmp'))) { echo 'File type not permitted'; } } ?> * Rename files: You can rename the files that are uploaded.
<?php if (!empty($_FILES['uploaded_file']) && $_FILES['uploaded_file']['error'] == 0) { $filename = basename($_FILES['uploaded_file']['name']); echo $new_filename = uniqid() . "_" . $filename; }
* Change permissions: Change the permissions on the upload folder so that files within it are not executable. * Login and Moderate: Making your users login might deter some deviant behavior. Shell system() - Do not user system() escapeshellargs() - Use to escape arguments escapeshellcmd() - Use to escape commands Email Do not provide open relays Open the SMTP port only if essential Delay incomming connections php.about.com

References









Programming

Php
   
Regex
   
MySQL
   
Css
   
jQuery
   
Git
   


References