robert_gsfame Posted March 25, 2012 Share Posted March 25, 2012 I have a form to upload a file and file allowed must be in document format only. I have tried to filter using $filetype=$_FILES['file']['type']; if(($filetype!=="application/msword")&&($filetype!=="application/doc")&&($filetype!=="application/pdf")){ //not allowed} also i have included .htaccess in the upload folder Options -Indexes Options -ExecCGI AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi <Files ^(*.doc|*.pdf|*.rtf)> order deny,allow deny from all </Files> but still someone can inject PHP File into my upload folder. Which part is wrong and how to close that hole? Thx in advance Quote Link to comment https://forums.phpfreaks.com/topic/259667-upload-security/ Share on other sites More sharing options...
darkfreaks Posted March 25, 2012 Share Posted March 25, 2012 http://hungred.com/useful-information/secure-file-upload-check-list-php/ Quote Link to comment https://forums.phpfreaks.com/topic/259667-upload-security/#findComment-1330881 Share on other sites More sharing options...
robert_gsfame Posted March 25, 2012 Author Share Posted March 25, 2012 thx @dark freaks , i finally got an idea how that guy inject the script once again thx a lot! Quote Link to comment https://forums.phpfreaks.com/topic/259667-upload-security/#findComment-1330890 Share on other sites More sharing options...
scootstah Posted March 25, 2012 Share Posted March 25, 2012 You can use the following .htaccess to prevent PHP from executing: RemoveHandler .php .phtml .php3 RemoveType .php .phtml .php3 php_flag engine off AddType text/plain .pl .cgi .php Options -Indexes -ExecCGI Quote Link to comment https://forums.phpfreaks.com/topic/259667-upload-security/#findComment-1330946 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.