fatkatie Posted April 14, 2018 Share Posted April 14, 2018 I think I have this covered but want some feedback.When I receive a file I secure it by checking these values in $_FILESname: must be a valid filesystem file name (if I'm going to use it). I never did find a library out there thatwould validate filesystem parameters (names, paths). I just use a regular expression to look for things I know are illegal.name: length must not exceed filesystem limit plus pathsize: check for zero and max sizetype: validate against a list of allowed types (Wondering if someone could subvert the type here and cause trouble. Is there way to look inside a file and verify 'type'?)tmp_name: nothing to checkerror: should be zeroGot it all? Thank you. Quote Link to comment https://forums.phpfreaks.com/topic/307125-securing-file-uploads-from-a-form/ Share on other sites More sharing options...
Solution requinix Posted April 14, 2018 Solution Share Posted April 14, 2018 name: must be a valid filesystem file name (if I'm going to use it). I never did find a library out there that would validate filesystem parameters (names, paths). I just use a regular expression to look for things I know are illegal. Linux allows every character. Store the original name as metadata with the upload. Actually name it on your server as something completely different. name: length must not exceed filesystem limit plus pathSee above. size: check for zero and max sizeIf you want. type: validate against a list of allowed types (Wondering if someone could subvert the type here and cause trouble. Is there way to look inside a file and verify 'type'?)The type is not safe to use. Don't even look at it. To detect type yourself, the file extension is most important and MIME identification can also help. error: should be zeroOf course. Quote Link to comment https://forums.phpfreaks.com/topic/307125-securing-file-uploads-from-a-form/#findComment-1557851 Share on other sites More sharing options...
fatkatie Posted April 14, 2018 Author Share Posted April 14, 2018 I saw a post somewhere where they said to check for null in the file name. Null? Your stuff looks good. Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/307125-securing-file-uploads-from-a-form/#findComment-1557852 Share on other sites More sharing options...
requinix Posted April 15, 2018 Share Posted April 15, 2018 I saw a post somewhere where they said to check for null in the file name. Null?Null? Where did you see this? The name won't be null... At least I've never heard of it being null. Quote Link to comment https://forums.phpfreaks.com/topic/307125-securing-file-uploads-from-a-form/#findComment-1557861 Share on other sites More sharing options...
fatkatie Posted April 15, 2018 Author Share Posted April 15, 2018 My reaction. Here's one: https://stackoverflow.com/questions/4814040/allowed-characters-in-filename I saw the null discussion elsewhere... can't locate it now. Quote Link to comment https://forums.phpfreaks.com/topic/307125-securing-file-uploads-from-a-form/#findComment-1557867 Share on other sites More sharing options...
requinix Posted April 15, 2018 Share Posted April 15, 2018 That's NUL the byte, as in chr(0), not null the empty/missing value. Quote Link to comment https://forums.phpfreaks.com/topic/307125-securing-file-uploads-from-a-form/#findComment-1557868 Share on other sites More sharing options...
baldwindavidrye Posted August 17, 2018 Share Posted August 17, 2018 (edited) Quote type: validate against a list of allowed types (Wondering if someone could subvert the type here and cause trouble. Is there way to look inside a file and verify 'type'?) Well...you can use this to get the uploaded file's extension $ext = strtolower(pathinfo($img, PATHINFO_EXTENSION)); Source: PHP file upload script Edited August 17, 2018 by Barand Quote Link to comment https://forums.phpfreaks.com/topic/307125-securing-file-uploads-from-a-form/#findComment-1560375 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.