Security flaw in this code approach

Question

Security flaw in this code approach

I wonder if there will be a security flaw in this approach. I am writing a piece of code that allows users to upload files and another set to download these files. These files can be any.

The user uploads the file (any file, including .php files), it is renamed to the md5 hash file (the extension is deleted) and saved on the server. The corresponding mySQL record is executed.
A user trying to download a file uses the download.php file to download the file to which the md5 file (with the original name) is sent.

Is there a way anyone can use the above scenario?

+5

security php file-upload

Alec smart Mar 18 '10 at 10:18

source share

6

include/require - , , .

, , .: -)

+1

janmoesen 18 . '10 10:19

, .

+1

Crozin 18 . '10 10:25

, , , , mime Content-Disposition. , PHP ( open_base_dir).

, , .

.

+1

symcbean 18 . '10 11:33

If this is another extension that does not execute by default and has a random hash, it is guaranteed not to be used. Just make sure you are not assigning PHP to the extension.

0

Jonnylitt Mar 18 '10 at 10:33

source share

I would suggest that you rename the file extensions to not executable, so even if there is a loophole in security, and someone can access the file, they will not be able to execute it. Other than that, I see no way that anyone could compromise security.

0

asarfraz Mar 18 '10 at 11:08

source share

Rithiur · Accepted Answer · 2010-03-18T10:53:47+0000

, . . , , , , .

-, PHP ( , readfile() ), , . apache, , - .htaccess " " , . , , ( - ).

-, , . , ? , , ( , ). , , - (, auto_increment). , ( , , , mysql_last_insert_id())

, , , , , .

Security flaw in this code approach

More articles: