Geek Answers Handbook

Secure PHP file upload script

I asked this question twice, I think, but this is the first time I have come close to this. I plan to allow users to upload and download their files (.pdf, .doc, .exl, .ppt, .png, .jpg, .gif).

Will these tips suffice:

http://blogs.sans.org/appsecstreetfighter/2009/12/28/8-basic-rules-to-implement-secure-file-uploads/

Also, is there a script I can use, I'm new to php.

+8
file php upload forms storage
source share
3 answers

late answer, but I think your script should be based on this: http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/

It covers all aspects of security and explains all valid points. Hope this helps.

EDIT: The referenced link is dead, here is the cached version of this article .

+23
source share

For future readers who are also new to php:

Before reading the tutorial mentioned in Ricky, answer to https://stackoverflow.com/a/166269/2125 which mentions a good tutorial and defiantly recommended reading. I would suggest reading this answer first:

https://security.stackexchange.com/a/32853/31943

then read the manual mentioned by Ricky:

http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/

In the end, if you need extra security, you should disconnect from the Internet .: P

+8
source share

There are a million files that load scripts. This one is not worse than others.

Although the "protection" from downloading files other than png will not work (it only checks the file name).

Uploading files is completely safe - it gives others the ability to upload them, which opens your server to certain types of attacks. The article you referred to does not mention two important points:

  • never serve user-submitted files from the same domain as your web page . You have a separate domain to download. Thus, even if someone succeeds in loading a flash animation or HTML fragment, your domain will not suffer from a cross-domain attack (for example, if your application has the example.org domain, you must serve user-generated content, say, via downloads. Example.com );
  • always serves uploaded files with well-controlled headers.
+3
source share

More articles:


All Articles