If I have a script that accepts files to be uploaded, what should I do to them to make sure that they're "clean", meaning no malicious scripts are being uploaded, or they're being uploaded to the wrong place, or anything like that?
first of all, make sure you restrict certain files - .exe .bat ... anything that can obviously be malicious. to stop downloads being uploaded to the right place there are a number of safety precautions you can take, althogh im not claiming to be any expert on the topic:... - makesure open_basedir is correct - use htaccess to mask where files are actually uploaded to - makesure all forms on your site cannot be manipulated
restricting files... use this snippet of code to give you an idea of how to restrict formats. the example only allows MIME_TYPE (e.g. 'image/jpeg'). it should be placed in the posted page. -- htaccess... if you store the unique ID and filename of into an SQL database, you can create a rewrite rule in htaccess to do something like this... http://sitename.com/?d=UNIQUE_ID --> http://sitename.com/download_folder/uploaded_file.jpeg (where the UNIQUE_ID related to uploaded_file.jpeg) -- manipulation of forms... makesure all inputted fields are inputted correctly via strict practices. this is quite hard to explain... when forms have been posted, makesure that whatever is in the input field should relate to the form field. ie a phone number cannot contain characters, a zip code is limited to 5 numbers, etc. then use the POST method in your forms, and when in the form processor, use $_POST instead of $_REQUEST -- in short: the stricter practices you use, the safer you are
Good information there. When you said to restrict the file type, I thought you meant in the HTML form itself, I understand what you're saying now.