Jump to content

Securing upload forms

TheLostGuru

By TheLostGuru
in PHP Coding Help

 Share

Recommended Posts

lightningstrike Newbie

lightningstrike

Posted
Posted

You need to check the extension of the file carefully. Make sure that the filename does not have a .php,.cgi,.pl etc. extension.

E.g a user could potentially upload a file called test.php.jpg which could execute code.

 

You also want to prevent the user for uploading a file that is too large by checking the temp files size. Also set your php.ini file to limit the post_max_size and upload_max_filesize values to the low-end to prevent easy attacks.

 

Another thing you could do is encrypt the filename and store it in a database to avoid code execution.

Link to comment
https://forums.phpfreaks.com/topic/62670-securing-upload-forms/#findComment-311943
Share on other sites
TheLostGuru Member

TheLostGuru

Posted
  • Author
Posted

Thank you, that was exactly what I was looking for.  But with answers come more questions.  I know how to do the first suggestion, but I don't know what you mean by editing my php.ini file.  Could you please explain that one more. 

 

And with the filename.  Do I encrypt it with that mcrypt thing?  And when I pull it back from the database do I just decrypt the filename? 

 

Also, how secure are databases? 

Do I have to worry about other people getting the information out of them?  If so, how do I make them secure. 

How secure are PHP files? 

Can people download those from off of my server? 

Do I have to worry about people getting my password and database information from one of my PHP files? 

 

I know that I ask a lot of questions, but I'm trying!

Link to comment
https://forums.phpfreaks.com/topic/62670-securing-upload-forms/#findComment-312065
Share on other sites
lightningstrike Newbie

lightningstrike

Posted
Posted

Also, how secure are databases?

Do I have to worry about other people getting the information out of them?  If so, how do I make them secure.

 

Encrypt the data with mcrypt etc. Also hash passwords with the hash, mhash, libraries.

Users can also take advantage of SQL injection to steal data from the tables maliciously. However you should never trust user input from cookies, GET, POST. Use functions like mysql_real_escape_string(), htmlentities, strip_tags, etc.

 

How secure are PHP files?

 

Obviously source code cannot be viewed outside the local network as it is parsed by the PHP engine into html.

 

Can people download those from off of my server?

 

Only though shell access, and FTP.

 

Do I have to worry about people getting my password and database information from one of my PHP files? 

 

Unless you write terrible code you should be alright. (e.g. upload script allowing files with .php extension to be uploaded)

 

 

Link to comment
https://forums.phpfreaks.com/topic/62670-securing-upload-forms/#findComment-312542
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.