Jump to content

securing file uploads from a form


Go to solution Solved by requinix,

Recommended Posts

I think I have this covered but want some feedback.

When I receive a file I secure it by checking these values in $_FILES

name:  must be a valid filesystem file name (if I'm going to use it).  I never did find a library out there that
would validate filesystem parameters (names, paths).  I just use a regular expression to look for things I know are illegal.

name:  length must not exceed filesystem limit plus path

size:  check for zero and max size

type:  validate against a list of allowed types  (Wondering if someone could subvert the type here and cause trouble.  Is there way to look inside a file and verify 'type'?)

tmp_name: nothing to check

error: should be zero


Got it all?

 

Thank you.

Link to post
Share on other sites
  • Solution

name:  must be a valid filesystem file name (if I'm going to use it).  I never did find a library out there that

would validate filesystem parameters (names, paths).  I just use a regular expression to look for things I know are illegal.

Linux allows every character.

 

Store the original name as metadata with the upload. Actually name it on your server as something completely different.

 

name:  length must not exceed filesystem limit plus path

See above.

 

size:  check for zero and max size

If you want.

 

type:  validate against a list of allowed types  (Wondering if someone could subvert the type here and cause trouble.  Is there way to look inside a file and verify 'type'?)

The type is not safe to use. Don't even look at it. To detect type yourself, the file extension is most important and MIME identification can also help.

 

error: should be zero

Of course.
Link to post
Share on other sites

I saw a post somewhere where they said to check for null in the file name.  Null?

Null? Where did you see this? The name won't be null... At least I've never heard of it being null.
Link to post
Share on other sites
  • 4 months later...
Quote

type:  validate against a list of allowed types  (Wondering if someone could subvert the type here and cause trouble.  Is there way to look inside a file and verify 'type'?)
 

 

Well...you can use this to get the uploaded file's extension

 

$ext = strtolower(pathinfo($img, PATHINFO_EXTENSION));

Source: PHP file upload script

Edited by Barand
Link to post
Share on other sites
This thread is more than a year old.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.