PHP Upload Security

Discussion in 'PHP' started by Obulus, Jun 23, 2009.

0
  1. #1
    Hi there,

    Ive constructed myself an PHP Image upload script, and due to few `complaints` about security, I've come here to seek some advice.

    Could anyone give me any hints on how to improve the security of a basic upload system?

    Thanks in advance,
    Obulus
     
    Obulus, Jun 23, 2009 IP
  2. xlcho

    xlcho Guest

    Messages:
    532
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    0
    #2
    One of the most important things is to check the uploaded files' MIME types. Make sure your user upload images, not some malicious scripts or something like that.
     
    xlcho, Jun 23, 2009 IP
  3. lowridertj

    lowridertj Well-Known Member

    Messages:
    2,882
    Likes Received:
    40
    Best Answers:
    0
    Trophy Points:
    195
    #3
    lowridertj, Jun 23, 2009 IP
  4. Louis11

    Louis11 Active Member

    Messages:
    783
    Likes Received:
    26
    Best Answers:
    0
    Trophy Points:
    70
    #4
    The MIME type should take care of that. If they upload a file entitled name.php.png, it will still have a MIME of a PHP and not an image. Checking the MIME type is the best bet.
     
    Louis11, Jun 23, 2009 IP
  5. lowridertj

    lowridertj Well-Known Member

    Messages:
    2,882
    Likes Received:
    40
    Best Answers:
    0
    Trophy Points:
    195
    #5
    it will still get past as it looks at the ending characters. just had the same problem with a clients script.
     
    lowridertj, Jun 23, 2009 IP
  6. octalsystems

    octalsystems Well-Known Member

    Messages:
    352
    Likes Received:
    14
    Best Answers:
    0
    Trophy Points:
    135
    Digital Goods:
    1
    #6
    always use getimagesize for checking if it is really valid image
     
    octalsystems, Jun 24, 2009 IP