Jump to content

file upload

ibolui

By ibolui
in PHP Coding Help

 Share

Recommended Posts

ibolui Newbie

ibolui

Posted
Posted

hi, i would like to seek recommendation regarding file upload. i have read that to prevent local file inclusion vulnerability, a uploaded file should randomly generating file name for it and keeping track in a database.

 

http://www.scanit.be/uploads/php-file-upload.pdf

 

i am wondering about the feasibilty of it because if there are huge number of files such as a gallery website, would it be advisable to use this approach? if not, what can be done?

Link to comment
Share on other sites
smc Regular Member

smc

Posted
Posted

Sure, there are multiple approaches. For one, you could do time() . microtime(); which would just name the file on the precise moment of upload.

 

Another option would be to generate the file name and check it against your DB to make sure it hasn't been used already.

Link to comment
Share on other sites
smc Regular Member

smc

Posted
Posted

The database space and bandwidth requirement will pale in comparision to the requirements of the images themselves.

 

Is it required? Well if you do time().microtime(); technically no because it is highly unlikely two people will execute at the same time and take the same time for server transfer.

 

However having said that for your records, keeping track of the files, and allowing user ease (because if you are allowing them to create custom galleries then it is pretty much a must for DB) I would HIGHLY recommend a DB. Like I said, you're planning on commiting substantial resources to the images the DB will seem insignificant.

Link to comment
Share on other sites
ibolui Newbie

ibolui

Posted
  • Author
Posted

if i understand correctly... the article said that the purpose of putting the files outside website root is to prevent users from accessing the files directly. but then this solution may leads to local file inclusion attacks. hence to rename the files uniquely and keep track in database.

 

i think putting the files outside website root is a very good idea, but i think that will be a overkill to read and write those files via the database. is there another method to prevent local file inclusion attacks beside the method mentioned in the article?

Link to comment
Share on other sites
haku Regular Member

haku

Posted
Posted

SMC has already said it a few times, and I think you are missing the point. It is feasible to use a database, and no it won't hog many resources. After all, its a database. They are made to store and sort data, and they do it well, as it is what they do.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.