php_nub_qq Posted April 24, 2013 Share Posted April 24, 2013 The question I have is theoretical. If say I have a form that allows upload of any file types, is it possible for someone to upload a PHP file and execute it? And if yes, as I believe, what are the options to avoid this? Quote Link to comment https://forums.phpfreaks.com/topic/277266-injecting-php-files/ Share on other sites More sharing options...
computermax2328 Posted April 24, 2013 Share Posted April 24, 2013 The answer is yes and you can refer to this page http://www.w3schools.com/php/php_file_upload.asp Quote Link to comment https://forums.phpfreaks.com/topic/277266-injecting-php-files/#findComment-1426382 Share on other sites More sharing options...
php_nub_qq Posted April 24, 2013 Author Share Posted April 24, 2013 well but what if I want users to be able to upload php files but not run them? Quote Link to comment https://forums.phpfreaks.com/topic/277266-injecting-php-files/#findComment-1426386 Share on other sites More sharing options...
computermax2328 Posted April 24, 2013 Share Posted April 24, 2013 (edited) Why would you want that? Edited April 24, 2013 by computermax2328 Quote Link to comment https://forums.phpfreaks.com/topic/277266-injecting-php-files/#findComment-1426389 Share on other sites More sharing options...
Jessica Posted April 24, 2013 Share Posted April 24, 2013 Don't store it in the web root Quote Link to comment https://forums.phpfreaks.com/topic/277266-injecting-php-files/#findComment-1426391 Share on other sites More sharing options...
computermax2328 Posted April 24, 2013 Share Posted April 24, 2013 Don't store it in the web root Good point Quote Link to comment https://forums.phpfreaks.com/topic/277266-injecting-php-files/#findComment-1426394 Share on other sites More sharing options...
php_nub_qq Posted April 24, 2013 Author Share Posted April 24, 2013 Or what if I restrict the access to php files in the uploads folder via htaccess, will they still be downloadable then? Quote Link to comment https://forums.phpfreaks.com/topic/277266-injecting-php-files/#findComment-1426400 Share on other sites More sharing options...
ignace Posted April 24, 2013 Share Posted April 24, 2013 (edited) When you allow users to upload files, you should: Verify the upload actually succeeded using the ['error'] index Check if something was actually uploaded using is_uploaded_file Move the uploaded file to a specified directory using move_uploaded_file Rename the file md5(filename), chmod to 400 (only readable by owner) and DO NOT store it in a publicly accesible place Use a download.php file to actually download the files and use file_get_contents/readfile to retrieve the content. Edited April 24, 2013 by ignace Quote Link to comment https://forums.phpfreaks.com/topic/277266-injecting-php-files/#findComment-1426402 Share on other sites More sharing options...
php_nub_qq Posted April 24, 2013 Author Share Posted April 24, 2013 Rename the file md5(filename), chmod to 400 (only readable by owner) I'm sorry but I don't understand this part, chmod to 400 ? Quote Link to comment https://forums.phpfreaks.com/topic/277266-injecting-php-files/#findComment-1426411 Share on other sites More sharing options...
Joshua F Posted April 24, 2013 Share Posted April 24, 2013 I'm sorry but I don't understand this part, chmod to 400 ? chmod Quote Link to comment https://forums.phpfreaks.com/topic/277266-injecting-php-files/#findComment-1426447 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.