ibolui Posted May 23, 2008 Share Posted May 23, 2008 hi, i would like to seek recommendation regarding file upload. i have read that to prevent local file inclusion vulnerability, a uploaded file should randomly generating file name for it and keeping track in a database. http://www.scanit.be/uploads/php-file-upload.pdf i am wondering about the feasibilty of it because if there are huge number of files such as a gallery website, would it be advisable to use this approach? if not, what can be done? Quote Link to comment Share on other sites More sharing options...
smc Posted May 23, 2008 Share Posted May 23, 2008 Sure, there are multiple approaches. For one, you could do time() . microtime(); which would just name the file on the precise moment of upload. Another option would be to generate the file name and check it against your DB to make sure it hasn't been used already. Quote Link to comment Share on other sites More sharing options...
ibolui Posted May 23, 2008 Author Share Posted May 23, 2008 eemmm... i mean if lets say my website is a image gallery. then by generating a unique filename and keeping track in database, for huge numbers of files, is it feasible? Quote Link to comment Share on other sites More sharing options...
smc Posted May 23, 2008 Share Posted May 23, 2008 The database space and bandwidth requirement will pale in comparision to the requirements of the images themselves. Is it required? Well if you do time().microtime(); technically no because it is highly unlikely two people will execute at the same time and take the same time for server transfer. However having said that for your records, keeping track of the files, and allowing user ease (because if you are allowing them to create custom galleries then it is pretty much a must for DB) I would HIGHLY recommend a DB. Like I said, you're planning on commiting substantial resources to the images the DB will seem insignificant. Quote Link to comment Share on other sites More sharing options...
ibolui Posted May 23, 2008 Author Share Posted May 23, 2008 if i understand correctly... the article said that the purpose of putting the files outside website root is to prevent users from accessing the files directly. but then this solution may leads to local file inclusion attacks. hence to rename the files uniquely and keep track in database. i think putting the files outside website root is a very good idea, but i think that will be a overkill to read and write those files via the database. is there another method to prevent local file inclusion attacks beside the method mentioned in the article? Quote Link to comment Share on other sites More sharing options...
haku Posted May 23, 2008 Share Posted May 23, 2008 SMC has already said it a few times, and I think you are missing the point. It is feasible to use a database, and no it won't hog many resources. After all, its a database. They are made to store and sort data, and they do it well, as it is what they do. Quote Link to comment Share on other sites More sharing options...
ibolui Posted May 23, 2008 Author Share Posted May 23, 2008 ohh.. thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.