|
PHP Uploader, Aiming for safety.
I have added an uploader to my website. It is a simple multi file uploader.
I want to keep adding features to it, but one thing stumps me, the security. When a user chooses a file(s) to upload, it is uploaded in a specified subdirectory within the upload directory, under its original file name. That is one thing I need to do something with, so far my script checks: -Checks if a file with that filename already exists, if so it added a numerical prefix to the file name. -Checks if the format is valid, I only block .exe formats at this moment. -Checks if the format is a "convert to .txt" format, which includes: html, xhtml, css, js, php, php3, php4, php5, xml, etc and otherwise the file is uploaded with its original file name as is. Anyone have some pointers on some security I can add, as in checking the file name, invalid characters in a file name, etc... Next is the specified upload directory, I know they can somehow reach other directorys with slashes and periods or something, how would I go about making sure the specified directory is only valid alpha numeric characters? Same goes for the create directory function, I can only have them entering alpha numeric characters. Thank you for reading, I am a bit rusty at PHP lately, just picked up on my project after nearly a year break from it. |
Re: PHP Uploader, Aiming for safety.
make sure you sanitize user input, preg_match() is your friend.:D
|
Re: PHP Uploader, Aiming for safety.
Also instead of using the files original name you could use something like hash(filename+time) as the new file name.
|
| All times are GMT -5. The time now is 12:47 PM. |
Powered by vBulletin® Version 3.7.0, Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2007 DaniWeb® LLC