Hi guys, I am developing a website and would like users to be able to upload files to the server. The file that they will be allowed to upload is a file for Guitar Pro, a desktop tablature editor (http://www.guitar-pro.com/en/index.php). The question I have is, how do I do this in a secure way? I haven't had much experience programming uploaders except for images. The file itself will have an extension .gpx, where the x is replaced by the version number of the software (e.g. filename.gp6 would refer to a file created in Guitar Pro 6, whereas filename.gp5 would have been created in Guitar Pro 5 etc...). How could I check the file they upload to make sure they don't upload a potentially dangerous file etc..? If you could give some input on this it'd be great! Thanks! Hodge
You would do this 2 ways. First validate the file extension, and validate the file headers if possible (this doesn't work with all files types). Next make sure that the upload directory is not publicly accessible and that files in the directory cannot be executed. The second should keep you pretty well covered by itself, but definitely pre-validate as best as possible. Basically, if your main index.php or equivalent file is located in /home/mysite/public_html/ or /home/mysite/web/ or something similar, put the upload directory at /home/mysite/gpuploads. This way there is no possibility of someone directly accessing a file from the internet. When someone needs to download a file, you have the server read and then write the contents to the browser which will force a download. You would use the proper header() to make sure the browser downloads the file instead of trying to display it inline.
Hey jestep, Thanks a lot for your input, and apologies for my belated response. Being under a lot of pressure with work etc... Anyway what you suggest makes sense and I will research into it further. I'll repost here if I have any questions, so it'd be great if you could keep an eye on it. I do have one last question however if you don't mind. As I said I haven't had much experience with upload scripts so I would like to ask if there are any other issues I should consider when allowing this? Is it for example possible for someone with a malicious intent to upload harmful files to the server? Since it's going to be a site where users can share music they wrote etc... this is a major concern for me. Also I had a quick look at your blog, looks very useful so I bookmarked it so I can read it later once I have more time on my hands!