Jump to content

File Upload Security And Others


Recommended Posts

Hello people! I want to know some security features for file upload in PHP. I did read many stuffs, but not all have answered my questions.


To start, I am more on front-end than back-end, so I am not a professional in PHP, but I do know several things in PHP (Procedural). I did create a file upload system before, which was to upload image, including security and validation. Anyway, I am planning to create a similar system again but I want to know more on things which I have applied before. Here are my questions:


1/ When validating file formats, which is better, validating by MIME or regular expression? I used regular expression before, because I have read MIME can be changed, even that I am curious. Here is an example of regular expression which accepts only JPG and GIF files: /\.(gif|jpg)$/i


2/ Can we upload file like EXE without affecting the server? I do not want the EXE file to execute now on the server, or simply, if it is infected, it can ruin the server. Is there a solution to tackle this or it is not recommended? Because many file hosting let you upload EX, RAR, ZIP, script formats etc...


3/ What other security measures should I take into account on file upload? All uploaded files will be in a folder, and the user will get their links to download.


4/ This question is not on security but mostly on cron job. Normally, file uploaded will be stored in a folder but not forever on the sever. I want that each 3 days, each file which has been uploaded, is deleted from the folder. I am not saying all files have to be deleted simultaneously, but each file which is more than 3 days. For example, I upload one today, on Sunday it will be deleted. If I upload another one tomorrow, on Monday it will be deleted. For this, a person told me to store the timestamps in a database and the name of the file. How to proceed the deletion with cron job?



Link to comment
Share on other sites

To answer your questions:


  1. Both MIME type and the file extension can be changed. While it's relatively easy to change/spoof the MIME type it's even easier to change the file extension. So you should not rely upon any of those. Check them, yes, and mark it as a failure if they don't match, but don't rely upon them.
  2. This really depends upon the server, how you've configured it, where you've placed the files, and how the user gets access to them.
    If it's a Linux server, you've removed (or rather avoid setting) the execute permission, placed the files outside of the web root, and that you're running your users to a download script that reads the file. Well.. Then you're pretty secure. At least as no-one gets direct/shell access to the server, but in that case the upload form is irrelevant.
  3. In addition to the above, you should also check if the actual file's contents is valid for the MIME type and extension. At least in the cases where it's feasible to do so. You can also set up an automated virus-scan service for all new files, before they get added to the "download" folder, just to ensure yourself that extra bit.
    Input validation and output escaping is also, naturally enough, an important part on all user submitted data; Not just the files themselves. As with everything that accepts input from a user.
  4. Just search for a crontab tutorial on the web, and you'll find a lot of them. Should provide you with all the details you need, and the actual logic behind the deletion should be a cake walk.

Link to comment
Share on other sites

Just to add on to Christian, you don't necessarily need to store the timestamp in a database. Since these files are created new on the server, their modify date will be the date they were uploaded. Assuming they don't change once uploaded/virus scanned/moved to download folder, you can just run a script that loops through your directory and checks that date. This can be done multiple ways, too. If you want to make it a little more universal, make a perl/cgi script or a php script and have your cron job execute that.


At my last place I would run a nightly php script that would do stuff like this and I would have it email me a report of what was done. It was really easy to maintain and add on to.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.