Jump to content

How to do secure file uploads?

benjamintobs

By benjamintobs
in PHP Coding Help

 Share

Recommended Posts

benjamintobs Newbie

benjamintobs

Posted
Posted

OK, pls dont flame me if this is really dumb, but I dont think it is, I maybe just havent articulated it that well...

 

How to do secure file uploads with php? Or, more correctly, how to upload to a secured dir? Many apps and posts I have seen on the web advise that the target dir must be writable. Now, this is ok if I am the owner of the dir, but what about if I want my users to be able to e.g. upload an image? Unless I authenticate them as an ftp user on the system, with access to the folder, the folder must be chmod 777, which is highly insecure. If I am using a shared host, which many of us are, it is not feasible for me to create an ftp login for all my users. I use session based security, and require sessions for all uploads, but if the folder is 777, anyone can just come along and browse it, and more importantly, bypass the session and write to it.

htaccess is not really suitable in my situation either, as it will use the browser popup for auth, rather than my login system and this is not consistent with the rest of the site. Once someone has logged into my site (i.e. authenticated against my db, and got a session/cookie), they should be logged in to all the areas they require access too. And how to maintain password resets etc between the db AND the htpasswd file?

Is there a way for me to use something like ftp_connect, or cURL to open a connection, possibly as a ftp user who only has access to this folder, and do some stuff like fopen(); fwrite(): or imagejpeg(); whilst the connection is open, and then close that connection?

 

thanks in advance!

ben

Link to comment
Share on other sites
benjamintobs Newbie

benjamintobs

Posted
  • Author
Posted

No? no ideas? secure upload seems like an area that is a little bit neglected by php devs in general.

One solution I saw was to change the owner of the folder to "nobody", who is also the user that php operates under on most systems, then change the folder permissions to 755. This is a bit hard on shared hosting environment tho (see http://au3.php.net/manual/en/function.move-uploaded-file.php#75654).

I was thinking maybe about a combination of htaccess and CURLOPT_HTTPAUTH, but this would still just open the URL, I am unsure about how to point the output of my other functions, e.g. imagejpeg to the target dir. using cURL. Surely I cant be the only person who wants to do this!! Maybe cURL is not appropriate for this application. If not, then what?

Thanks, ben

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.