suggestion for fileupload security

[asmith]

Hi,

 

I have put an upload field, for users so that they could upload an mp3.

with php, I have limited the size to 200kb, and I don't allow other extensions than .mp3

 

Is this enough security to have the file upload like this ?

The site will be a game site, and my experience in these cases tells me, a lot of kids will want to mess with the site or try to hack it ... That's why I'm asking.

 

Thanks

[Stooney]

Just make sure you validate everything about the file before you move it from temp.  Another thing you can do if the file doesn't need to be directly accessed (http://site.com/mp3/song.mp3) you can store it above the webroot.  That way if someone does somehow figure something out and get a malicious file uploaded, they can't access it to execute it on the server. 

 

I would also rename the file so they don't know which one is there's if they somehow get to a point where that would matter.  So if John uploads bad.php.mp3 I would rename it to 32423432.mp3. 

[asmith]

I am validating :

 

only .mp3 extension

only audio/mpeg  type

max 100kb

rename the original file name

 

But as the mp3 will be played in some pages, I can't store it in the webroot. so the can look at the page source and see their renamed file.

 

anything more I must done?

Am I running the safety standard codes in this case? most programmer do this only? (in positions like me)

[waynewex]

Check its filetype AND check its filename for the extension. Aren't there certain folder permissions that one could set in order to stop execution?