robert_gsfame Posted March 25, 2012 Share Posted March 25, 2012 I have a form to upload a file and file allowed must be in document format only. I have tried to filter using $filetype=$_FILES['file']['type']; if(($filetype!=="application/msword")&&($filetype!=="application/doc")&&($filetype!=="application/pdf")){ //not allowed} also i have included .htaccess in the upload folder Options -Indexes Options -ExecCGI AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi <Files ^(*.doc|*.pdf|*.rtf)> order deny,allow deny from all </Files> but still someone can inject PHP File into my upload folder. Which part is wrong and how to close that hole? Thx in advance Link to comment https://forums.phpfreaks.com/topic/259667-upload-security/ Share on other sites More sharing options...
darkfreaks Posted March 25, 2012 Share Posted March 25, 2012 http://hungred.com/useful-information/secure-file-upload-check-list-php/ Link to comment https://forums.phpfreaks.com/topic/259667-upload-security/#findComment-1330881 Share on other sites More sharing options...
robert_gsfame Posted March 25, 2012 Author Share Posted March 25, 2012 thx @dark freaks , i finally got an idea how that guy inject the script once again thx a lot! Link to comment https://forums.phpfreaks.com/topic/259667-upload-security/#findComment-1330890 Share on other sites More sharing options...
scootstah Posted March 25, 2012 Share Posted March 25, 2012 You can use the following .htaccess to prevent PHP from executing: RemoveHandler .php .phtml .php3 RemoveType .php .phtml .php3 php_flag engine off AddType text/plain .pl .cgi .php Options -Indexes -ExecCGI Link to comment https://forums.phpfreaks.com/topic/259667-upload-security/#findComment-1330946 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.