Drongo_III Posted April 22, 2012 Share Posted April 22, 2012 Hi guys Sorry i keep asking noob questions today... I'm working on something that has a user facing image upload facility. So i'm slowly working through a class to make this as secure as possible. One of the tips online is to use the method "is_uploaded_file ( )". According to php.net - "Returns TRUE if the file named by filename was uploaded via HTTP POST. This is useful to help ensure that a malicious user hasn't tried to trick the script into working on files upon which it should not be working--for instance, /etc/passwd. " I'm not one to just use things without understanding why. So how exactly could someone get a script to work on an internal file via a browse/upload facility? Quote Link to comment Share on other sites More sharing options...
kicken Posted April 22, 2012 Share Posted April 22, 2012 I'm not one to just use things without understanding why. So how exactly could someone get a script to work on an internal file via a browse/upload facility? Normally when the browsers submit the filename, the include only the base name an no directory components. A malicious user could however alter the request to include a full path to a file as the filename. For example changing the header from Content-disposition: form-data; name="upload"; filename="somefile.jpg" to Content-disposition: form-data; name="upload"; filename="/etc/passwd" If your not careful you might end up enabling other means for the user to manipulate the filename as well. Quote Link to comment Share on other sites More sharing options...
xyph Posted April 22, 2012 Share Posted April 22, 2012 It's an automated step to avoid a client trying to manipulate files they shouldn't. It acts as an extra layer of protection, but isn't very flexible either. More complex uploaders, like ones that upload in chunks, or process the temporary image with another script can't use it. I personally just sanitize the file name, keep uploads in their own temporary folder, and use copy();unlink(); I miss an extra layer of security, but also an extra layer of potential complexity. If unsure, and it works, use it. If you're already isolating the files, and stripping bad characters out of the user-defined file names, you don't really need it. Quote Link to comment Share on other sites More sharing options...
Ninjakreborn Posted April 23, 2012 Share Posted April 23, 2012 As was mentioned above, simple put it's just a check to make sure the file has been uploaded. It's not entirely accurate if your working with more complex uploading systems. If your doing standard file uploads it can be useful as an additional check, but it's not really needed. Your better off putting your time into other checks..to make sure they aren't uploading improper file types, and things like that. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.