Jump to content

securing file uploads from a form


fatkatie

Recommended Posts

I think I have this covered but want some feedback.

When I receive a file I secure it by checking these values in $_FILES

name:  must be a valid filesystem file name (if I'm going to use it).  I never did find a library out there that
would validate filesystem parameters (names, paths).  I just use a regular expression to look for things I know are illegal.

name:  length must not exceed filesystem limit plus path

size:  check for zero and max size

type:  validate against a list of allowed types  (Wondering if someone could subvert the type here and cause trouble.  Is there way to look inside a file and verify 'type'?)

tmp_name: nothing to check

error: should be zero


Got it all?

 

Thank you.

Link to comment
Share on other sites

name:  must be a valid filesystem file name (if I'm going to use it).  I never did find a library out there that

would validate filesystem parameters (names, paths).  I just use a regular expression to look for things I know are illegal.

Linux allows every character.

 

Store the original name as metadata with the upload. Actually name it on your server as something completely different.

 

name:  length must not exceed filesystem limit plus path

See above.

 

size:  check for zero and max size

If you want.

 

type:  validate against a list of allowed types  (Wondering if someone could subvert the type here and cause trouble.  Is there way to look inside a file and verify 'type'?)

The type is not safe to use. Don't even look at it. To detect type yourself, the file extension is most important and MIME identification can also help.

 

error: should be zero

Of course.
Link to comment
Share on other sites

  • 4 months later...
Quote

type:  validate against a list of allowed types  (Wondering if someone could subvert the type here and cause trouble.  Is there way to look inside a file and verify 'type'?)
 

 

Well...you can use this to get the uploaded file's extension

 

$ext = strtolower(pathinfo($img, PATHINFO_EXTENSION));

Source: PHP file upload script

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.