Jump to content

file upload security

paddy_fields

By paddy_fields
in PHP Coding Help

 Share

Recommended Posts

paddy_fields Member

paddy_fields

Posted
Posted

Hi. I've used a white list approach to only allow certain file types to be uploaded, but I would like to know if this is enough protection.. I've been reading about editing the htaccess to allow certain file types, if that would be useful as extra protection? I'd like this to be as safe as possible!


    error_reporting(E_ALL);
    ini_set('display_errors', 1);

    $filename = $_FILES['cv']['tmp_name'];
	$finfo = finfo_open(FILEINFO_MIME_TYPE);
	$mime = finfo_file($finfo, $filename);
	finfo_close($finfo);

	switch ($mime) {

		//.pdf
		case 'application/pdf':
			$ok = true;
			break;

		//.doc
		case 'application/msword':
			$ok = true;
			break;

		//.docx
		case 'application/vnd.openxmlformats-officedocument.wordprocessingml.document':
			$ok = true;
			break;
		
		default:
			$ok = false;
			break;
	}

	if($ok){
	
		$target = "CV/";
		$target = $target . basename( $_FILES['cv']['name']) ;
		
		if(move_uploaded_file($_FILES['cv']['tmp_name'], $target))
		{
			echo "The file ". basename( $_FILES['cv']['name']). " has been uploaded <br><br>";
		}
		else 
		{
			echo "Sorry, there was a problem uploading your file.";
		} 
		
	}
	else 
	{
		echo "<p>Oh no, you've chosen the wrong file type!</p>";
	}
Link to comment
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

You do need to check the extension too, in case the web server decides to serve the file based on its extension and not its contents. And extensions need to be managed with a whitelist.

 

For execution, there are a couple things. If everything will always be for download and never served inline you can force a content type on all the files to make them always download. There's also the simple Options -ExecCGI -Includes so files will never be executed or parsed for server-side includes.

Link to comment
Share on other sites
paddy_fields Member

paddy_fields

Posted
  • Author
Posted

I can find the extension via...

$ext = pathinfo($filename, PATHINFO_EXTENSION);

...but only once the file has been copied to my server. The path extension for $_FILES['cv']['tmp_name'] doesn't seem to have an extension associated so how can I check this before using move_uploaded_file ?

echo $_FILES['cv']['tmp_name'];

This produces /private/var/tmp/phpp4oORT , so I assume I can't check this way?

Link to comment
Share on other sites
scootstah Member

scootstah

Posted
Posted

I can find the extension via...

$ext = pathinfo($filename, PATHINFO_EXTENSION);
...but only once the file has been copied to my server. The path extension for $_FILES['cv']['tmp_name'] doesn't seem to have an extension associated so how can I check this before using move_uploaded_file ?

echo $_FILES['cv']['tmp_name'];
This produces /private/var/tmp/phpp4oORT , so I assume I can't check this way?

 

You can't reliably get the file extension from the file name. You could use $_FILES['cv']['name'], but it will be whatever the user sets it to.

 

Instead, you can save the file with the extension it should have based on its MIME. However, Apache should be configured to serve content based on the MIME and not the file extension.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.