Programming Forums - View Single Post

brokenhope · Apr 18th, 2008, 3:59 PM

I have added an uploader to my website. It is a simple multi file uploader.

I want to keep adding features to it, but one thing stumps me, the security.

When a user chooses a file(s) to upload, it is uploaded in a specified subdirectory within the upload directory, under its original file name. That is one thing I need to do something with, so far my script checks:

-Checks if a file with that filename already exists, if so it added a numerical prefix to the file name.
-Checks if the format is valid, I only block .exe formats at this moment.
-Checks if the format is a "convert to .txt" format, which includes: html, xhtml, css, js, php, php3, php4, php5, xml, etc

and otherwise the file is uploaded with its original file name as is. Anyone have some pointers on some security I can add, as in checking the file name, invalid characters in a file name, etc...

Next is the specified upload directory, I know they can somehow reach other directorys with slashes and periods or something, how would I go about making sure the specified directory is only valid alpha numeric characters?

Same goes for the create directory function, I can only have them entering alpha numeric characters.

Thank you for reading, I am a bit rusty at PHP lately, just picked up on my project after nearly a year break from it.

Apr 18th, 2008, 3:59 PM	#1
brokenhope Hobbyist Programmer Join Date: Apr 2005 Posts: 126 Rep Power: 4	PHP Uploader, Aiming for safety. I have added an uploader to my website. It is a simple multi file uploader. I want to keep adding features to it, but one thing stumps me, the security. When a user chooses a file(s) to upload, it is uploaded in a specified subdirectory within the upload directory, under its original file name. That is one thing I need to do something with, so far my script checks: -Checks if a file with that filename already exists, if so it added a numerical prefix to the file name. -Checks if the format is valid, I only block .exe formats at this moment. -Checks if the format is a "convert to .txt" format, which includes: html, xhtml, css, js, php, php3, php4, php5, xml, etc and otherwise the file is uploaded with its original file name as is. Anyone have some pointers on some security I can add, as in checking the file name, invalid characters in a file name, etc... Next is the specified upload directory, I know they can somehow reach other directorys with slashes and periods or something, how would I go about making sure the specified directory is only valid alpha numeric characters? Same goes for the create directory function, I can only have them entering alpha numeric characters. Thank you for reading, I am a bit rusty at PHP lately, just picked up on my project after nearly a year break from it.