kensbeijing Posted October 27, 2009 Share Posted October 27, 2009 Hi I have a form which posts a file upload to my php page (which uploads it). However I don't have a way of preventing people using the same php page to upload any dangerous files from an external website. I'v googled for a solution but they all seem to be hackable, e.g. checking referral pages, and using sessions. Does anyone know of a safe way to upload files? I was thinking some kind of hidden password that is posted along with the form, and the php page checks if this is the same password that is stored in a database. But how would I be able to hide this password? Link to comment Share on other sites More sharing options...
Ingolme Posted October 27, 2009 Share Posted October 27, 2009 When you receive a file after it's uploaded, check the extension of the file.For example, if you only wanted image files, you would make sure the file name only ends in .jpg, .jpeg, .png or .gif. Link to comment Share on other sites More sharing options...
Synook Posted October 27, 2009 Share Posted October 27, 2009 If your server has antivirus tools you can also scan the uploaded files. Link to comment Share on other sites More sharing options...
kensbeijing Posted October 27, 2009 Author Share Posted October 27, 2009 If your server has antivirus tools you can also scan the uploaded files.It's not so much the file I am worried about, it's where the file is coming from. I am using the file uploader as an avatar uploader for members on my website, but the php upload script can very easily be used from someone outside of my website to upload a random image for any member on my website. With the use of an identical form. Link to comment Share on other sites More sharing options...
Ingolme Posted October 27, 2009 Share Posted October 27, 2009 It's not so much the file I am worried about, it's where the file is coming from. I am using the file uploader as an avatar uploader for members on my website, but the php upload script can very easily be used from someone outside of my website to upload a random image for any member on my website. With the use of an identical form.Then you'll have to check if the user is logged in or not before uploading the image. Usually you do this with sessions. Link to comment Share on other sites More sharing options...
kensbeijing Posted October 27, 2009 Author Share Posted October 27, 2009 Then you'll have to check if the user is logged in or not before uploading the image. Usually you do this with sessions.Yea I'v done that, are there any other ways to make sure that the php file is safe? Link to comment Share on other sites More sharing options...
Ingolme Posted October 27, 2009 Share Posted October 27, 2009 A PHP file is safe as long as you control any incoming data to it.Make sure that the information that's coming in is used exactly as it was supposed to. Link to comment Share on other sites More sharing options...
Synook Posted October 27, 2009 Share Posted October 27, 2009 Well, make sure your login-check code is failsafe! As long as it is, only registered users will be able to upload things. If you don't trust your registered users, check the files as well!Remember to check whether they're logged in on the actual page the form is submitted to. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.