[nycphp-talk] PHP MySQL File Upload Help
csnyder
chsnyder at gmail.com
Thu Apr 27 12:17:59 EDT 2006
On 4/26/06, Brian O'Connor <gatzby3jr at gmail.com> wrote:
> While we're on this topic, I was wondering if some people could enlighten me
> on some good practices (if any at all really) for allowing users to upload
> files via a php page.
>
> Currently, I am using the ftp approach to upload certain files to my site,
> but I'm not really sure if that's the safest / most effective way. I had
> been using move_uploaded_file() before, but that didn't seem to work for me
> on some hosts (I'm on a shared host, and I probably will be for quite some
> time).
>
> Thanks.
Which ftp approach do you mean?
Some things you can do to safely handle uploaded files are:
1) use is_uploaded_file() to make sure you can trust the data in the
temporary file
2) make sure uploaded files are *never* saved with .php extensions (or
any other extension the webserver might execute as php). it's possible
to embed php code in files of any mimetype.
3) store uploads outside of the web root, so that an attacker can't
request an uploaded file directly. this helps mitigate the risk in #2.
--
Chris Snyder
http://chxo.com/
More information about the talk
mailing list