Jump to content

Prevent External Posts?


kensbeijing
 Share

Recommended Posts

Hi I have a form which posts a file upload to my php page (which uploads it). However I don't have a way of preventing people using the same php page to upload any dangerous files from an external website. I'v googled for a solution but they all seem to be hackable, e.g. checking referral pages, and using sessions. Does anyone know of a safe way to upload files? I was thinking some kind of hidden password that is posted along with the form, and the php page checks if this is the same password that is stored in a database. But how would I be able to hide this password?

Link to comment
Share on other sites

When you receive a file after it's uploaded, check the extension of the file.For example, if you only wanted image files, you would make sure the file name only ends in .jpg, .jpeg, .png or .gif.

Edited by Ingolme
Link to comment
Share on other sites

If your server has antivirus tools you can also scan the uploaded files.
It's not so much the file I am worried about, it's where the file is coming from. I am using the file uploader as an avatar uploader for members on my website, but the php upload script can very easily be used from someone outside of my website to upload a random image for any member on my website. With the use of an identical form.
Link to comment
Share on other sites

It's not so much the file I am worried about, it's where the file is coming from. I am using the file uploader as an avatar uploader for members on my website, but the php upload script can very easily be used from someone outside of my website to upload a random image for any member on my website. With the use of an identical form.
Then you'll have to check if the user is logged in or not before uploading the image. Usually you do this with sessions.
Link to comment
Share on other sites

Well, make sure your login-check code is failsafe! As long as it is, only registered users will be able to upload things. If you don't trust your registered users, check the files as well!Remember to check whether they're logged in on the actual page the form is submitted to.

Edited by Synook
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...