webref.eu Posted June 2, 2009 Share Posted June 2, 2009 Hi All Someone earlier kindly gave me a simple file upload script, which is fine for what I need. I will be using this script in an Admin area of my site, which is within a folder protected by .htaccess. I post the script below for your reference, and would like to know if this is ok security wise considering it will be located in a .htaccess protected directory? Thanks for any comments. Rgds <?php //retrieve the value of ProductId $ProductId = $_GET['ProductId']; //Protection from hackers. Check ProductId is just a number $TestForNumber = is_numeric($ProductId); If ($TestForNumber == 0) { echo "Sorry, the Product Id tried is not allowed."; exit(); } if(isset($_POST['submit'])) { $dir = "../images/products/"; // this directory needs to exist and permissions need to be 0777 $imagename = basename($_FILES['image']['name']); $newimage = $dir.$imagename; move_uploaded_file($_FILES['image']['tmp_name'], $newimage); echo "Image uploaded. <a href='control-panel.php'>Return to Control Panel</a>."; exit(); } ?> <form method="POST" enctype="multipart/form-data" action=""> <p>Please upload a file called <?=$ProductId?>.jpg:</p> <input type="file" name="image" /><br /><br /> <input type="submit" name="submit" value="Upload Image" /> </form> Link to comment https://forums.phpfreaks.com/topic/160683-is-this-script-secure-if-protected-by-htaccess/ Share on other sites More sharing options...
TomNomNom Posted June 2, 2009 Share Posted June 2, 2009 Anything protected by a .htaccess file will be as secure as your .htaccess file. However, you should always plan for the worst. If your .htaccess authentication gets brute forced (or someone gains access to your username and password by other means), you could find yourself in real trouble. If the directory that the files are uploaded to is accessible via http, an attacker could upload whatever they wanted (I.E. malicious code) and then execute it with ease. You should at the very least check the file extension of the file being uploaded, and probably check its MIME type (try the Fileinfo Pecl extension, or mime_content_type() if you have to) to make sure it's an image. It's also good idea to make sure that any files a user (be it you or anyone else) uploads are not accessible via http, if at all possible. Good luck to you, good sir :-) Link to comment https://forums.phpfreaks.com/topic/160683-is-this-script-secure-if-protected-by-htaccess/#findComment-848002 Share on other sites More sharing options...
xcoderx Posted June 2, 2009 Share Posted June 2, 2009 I told him that before add some blacklists to restrict some extns the most common file used is a .php.jpg extn il not mention what that is but since it has .jpg at the end the file is easily uploaded n then boom. Link to comment https://forums.phpfreaks.com/topic/160683-is-this-script-secure-if-protected-by-htaccess/#findComment-848035 Share on other sites More sharing options...
webref.eu Posted June 2, 2009 Author Share Posted June 2, 2009 Thanks for the comments so far. Rgds Link to comment https://forums.phpfreaks.com/topic/160683-is-this-script-secure-if-protected-by-htaccess/#findComment-848040 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.