PHP Upload and Security.

[DamienRoche]

I have added the ability to upload files on my website. With that comes the inevitable security holes.

 

Can anyone advise on security measures I should be taking?

 

So far I have come up with:

 

-limit file-type to exclude possibly malicious files

-check for double file-types ? (myfile.jpg.php)

-affix random id onto file name

 

But how do I protect against concealed code within images?

 

Are there any other measures I can take to greatly reduce the risk of a successful hacking attempt?

[neoform]

You can't really put "code" into images.

 

You should however not allow the uploaded files to be directly accessible. Even if it means creating a php file that does "readfile()" and outputs the contents of that file, do that instead of allowing direct web level access to the file, this will stop people from uploading malicious files like .htaccess or hack.php (if a user uploads a php file, it would have access to all your code).

[lanmonkey]

http://www.google.co.uk/search?hl=en&sa=X&oi=spell&resnum=0&ct=result&cd=1&q=php+file+upload+security&spell=1

[PFMaBiSmAd]

The solution to script contained in images is -

 

1) Don't configure your server to parse image files (.jpg, .gif...) as script files (some people output dynamically generated images using script files that have image extensions.) Only have .php files parsed as php code.

 

2) Don't allow files that should be images to be uploaded, saved, or renamed as file names (.php) that are parsed as script files. Make sure the file name is what you expect (one way to insure this is to make you own file name, having nothing to do with the name of the file that was uploaded.)

 

3) Don't put uploaded files in a folder that is directly accessible through http/https requests. Put uploaded files into a folder that is either not accessible through http/https requests or has a .htaccess file to deny all http/https access to the files in it.