andrewgerm Posted January 14, 2012 Share Posted January 14, 2012 Good day all Busy working on some code to allow users to upload images. Now, I know not to trust anything sent from a user (and to specifically check image type, etc.) And it's never a good idea to allow anyone, or anything to upload something to a directory below your web root. But, how bad would it be to check for the correct file size, and type, and then use PHP to FTP that file to a directory that happens to be below your web root? This would be on a shared hosting platform, where temp_upload is not set, and is running Apache and PHP 5.2 Just checking some additional options, and haven't seen that much regarding how secure the FTP method would be. Thanks in advance Quote Link to comment Share on other sites More sharing options...
blacknight Posted January 14, 2012 Share Posted January 14, 2012 use mime_content_type('php.gif') and run it aganst your allowed types this will stop corrupted gif files from being uploaded Quote Link to comment Share on other sites More sharing options...
andrewgerm Posted January 14, 2012 Author Share Posted January 14, 2012 Thank you for the reply I had intended to run actual checks (and not rely on user or browser supplied info) Had not seen many mention of mime type, but many mentions suggesting getimagesize, etc. Without opening this thread, and my questions up to giving out info that would add attackers, are there any other concerns to be aware of? Quote Link to comment Share on other sites More sharing options...
blacknight Posted January 14, 2012 Share Posted January 14, 2012 if you set size(w/h) and size (k Kb Mb) limits and check the mime type any file that passes your checks should be ok but i wouldent recomend any folder before your webroot folder use one called uploads in it then you can have php move it after its uploaded Quote Link to comment Share on other sites More sharing options...
andrewgerm Posted January 14, 2012 Author Share Posted January 14, 2012 Thank you again! Going to speak to the host, and see what I can organise. I've had several hosts tell me recently that they do not allow access to folders above webroot by scripts, at all. Will have to see what they can sort for this site then. Safest option is always the way to go. Had thought it'd be okay to do all the checks, but you never know what the next attack vector would be. Speaking of, any ways in even if uploading to another directory, and moving? Would also limit files to JPEG type, and probably resize them with a script too while I'm at it. Will post any additional info I manage here, but hopefully all goes well. Thank you again. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.