Jump to content

securing file uploads from a form

fatkatie

By fatkatie
in PHP Coding Help

 Share
Go to solution Solved by requinix,

Recommended Posts

fatkatie Advanced Member

fatkatie

Posted
Posted

I think I have this covered but want some feedback.

When I receive a file I secure it by checking these values in $_FILES

name:  must be a valid filesystem file name (if I'm going to use it).  I never did find a library out there that
would validate filesystem parameters (names, paths).  I just use a regular expression to look for things I know are illegal.

name:  length must not exceed filesystem limit plus path

size:  check for zero and max size

type:  validate against a list of allowed types  (Wondering if someone could subvert the type here and cause trouble.  Is there way to look inside a file and verify 'type'?)

tmp_name: nothing to check

error: should be zero


Got it all?

 

Thank you.

Link to comment
Share on other sites
  • Solution
requinix Prolific Member

requinix

Posted
  • Solution
Posted

name:  must be a valid filesystem file name (if I'm going to use it).  I never did find a library out there that

would validate filesystem parameters (names, paths).  I just use a regular expression to look for things I know are illegal.

Linux allows every character.

 

Store the original name as metadata with the upload. Actually name it on your server as something completely different.

 

name:  length must not exceed filesystem limit plus path

See above.

 

size:  check for zero and max size

If you want.

 

type:  validate against a list of allowed types  (Wondering if someone could subvert the type here and cause trouble.  Is there way to look inside a file and verify 'type'?)

The type is not safe to use. Don't even look at it. To detect type yourself, the file extension is most important and MIME identification can also help.

 

error: should be zero

Of course.
Link to comment
Share on other sites
  • 4 months later...
baldwindavidrye Newbie

baldwindavidrye

Posted
Posted (edited)
Quote

type:  validate against a list of allowed types  (Wondering if someone could subvert the type here and cause trouble.  Is there way to look inside a file and verify 'type'?)
 

 

Well...you can use this to get the uploaded file's extension

  

$ext = strtolower(pathinfo($img, PATHINFO_EXTENSION));

Source: PHP file upload script

Edited by Barand
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.