1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

File Upload Question

Discussion in 'PHP' started by Darkhodge, Jul 7, 2011.

0
  1. #1
    Hi guys,


    I am developing a website and would like users to be able to upload files to the server. The file that they will be allowed to upload is a file for Guitar Pro, a desktop tablature editor (http://www.guitar-pro.com/en/index.php).

    The question I have is, how do I do this in a secure way? I haven't had much experience programming uploaders except for images. The file itself will have an extension .gpx, where the x is replaced by the version number of the software (e.g. filename.gp6 would refer to a file created in Guitar Pro 6, whereas filename.gp5 would have been created in Guitar Pro 5 etc...).

    How could I check the file they upload to make sure they don't upload a potentially dangerous file etc..? If you could give some input on this it'd be great!


    Thanks!

    Hodge
     
    Darkhodge, Jul 7, 2011 IP
  2. jestep

    jestep Prominent Member

    Messages:
    3,659
    Likes Received:
    215
    Best Answers:
    19
    Trophy Points:
    330
    #2
    You would do this 2 ways. First validate the file extension, and validate the file headers if possible (this doesn't work with all files types). Next make sure that the upload directory is not publicly accessible and that files in the directory cannot be executed.

    The second should keep you pretty well covered by itself, but definitely pre-validate as best as possible.

    Basically, if your main index.php or equivalent file is located in /home/mysite/public_html/ or /home/mysite/web/ or something similar, put the upload directory at /home/mysite/gpuploads. This way there is no possibility of someone directly accessing a file from the internet.

    When someone needs to download a file, you have the server read and then write the contents to the browser which will force a download. You would use the proper header() to make sure the browser downloads the file instead of trying to display it inline.
     
    jestep, Jul 7, 2011 IP
    Darkhodge likes this.
  3. Darkhodge

    Darkhodge Well-Known Member

    Messages:
    2,111
    Likes Received:
    76
    Best Answers:
    1
    Trophy Points:
    185
    #3
    Hey jestep,


    Thanks a lot for your input, and apologies for my belated response. Being under a lot of pressure with work etc...

    Anyway what you suggest makes sense and I will research into it further. I'll repost here if I have any questions, so it'd be great if you could keep an eye on it.

    I do have one last question however if you don't mind. As I said I haven't had much experience with upload scripts so I would like to ask if there are any other issues I should consider when allowing this? Is it for example possible for someone with a malicious intent to upload harmful files to the server? Since it's going to be a site where users can share music they wrote etc... this is a major concern for me.

    Also I had a quick look at your blog, looks very useful so I bookmarked it so I can read it later once I have more time on my hands!
     
    Darkhodge, Jul 16, 2011 IP