Secure PHP File Upload Script

php forms file upload storage
25,655

Solution 1

a late response, but i think your script should be based on this: http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/

it covers all aspects of security and explains all valid points. I hope this helps.

EDIT: The above link is dead, here is a cached version of that article.

Solution 2

For Future readers, who are also new to php:

Before reading the guide mentioned in Ricki's answer at https://stackoverflow.com/a/7065880/1815624, which mentions a good guide and is defiantly a recommended read I would advise to read this answer first:

https://security.stackexchange.com/a/32853/31943

then read the guide mentioned by Ricki at:

http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/

After all that if you need further security, you should consider disconnecting from the internet. :P

Solution 3

There is a million of file uploading scripts out there. This one is not worse than the others.

Although the "protection" from uploading files other than pngs will not work (it only checks the name of the file).

Uploading files is quite safe - it's giving others the chance of downloading them that opens your server to certain types of attacks. The article you referenced does not mention two important points:

  • never serve any user provided files from the same domain as your webpage. Have a separate domain for downloads. This way even if someone manages to upload a flash animation or a piece of HTML, your domain will not suffer from cross domain attack (eg if your application has a domain of example.org, you should serve user content from, say, downloads.example.com);
  • always serve uploaded files with well controlled headers.
Share:
25,655
AAA
Author by

AAA

Updated on July 24, 2022

Comments

  • AAA
    AAA almost 2 years

    I have asked this question twice i think, but this is the first time i have gotten close to this. I am planning on allowing users to upload and download their files (.pdf, .doc, .exl, .ppt, .png, .jpg, .gif).

    Will these tips be suffice:

    http://blogs.sans.org/appsecstreetfighter/2009/12/28/8-basic-rules-to-implement-secure-file-uploads/

    Also, is there a script I can utilize, i am new to php.

  • CrandellWS
    CrandellWS over 10 years
    This is a great guide
  • Drew
    Drew about 8 years
    Cached link reference above does not have a cached copy of the source code file to download discussed in the cached article linked above.
  • Neil Davis
    Neil Davis about 8 years
    There are several problems with this file upload security guide. The first is the whole concept of using a blacklist. Blacklisting is a losing proposition. You should whitelist the allowed extensions, check the uploaded file extension using the name you will save it as, and disallow access if the extension isn't in the whitelist. Blacklisting leaves you open any time a new vulnerability is discovered. Whitelisting is future proof.
  • JBH
    JBH almost 7 years
    The danger in uploading is when programmers store the uploaded file in the document tree and check neither the suffix (*.php) nor the contents. Once done it gives malicious users the ability to run an uncontrolled script on your server. Yikes. File uploaders should always check file names and content to be sure the file is exactly what the programmer expected.
  • JBH
    JBH almost 7 years
    Your answer doesn't explain the statement, "Uploading files is quite safe - it's giving others the chance of downloading them that opens your server to certain types of attacks." I provided an example.
  • fdreger
    fdreger almost 7 years
    @JBH Your advice is bad - following it will not get you any safety. And the "problem" you describe begins with serving users' files from the same domain as the rest of application, which is against the first of my two rules (and is followed by a lot of other silly errors). If you honestly follow the two rules I give above, your app is safe. As simple as that. Really.
  • JBH
    JBH almost 7 years
    Perhaps not bad, but maybe not what you wanted to talk about. I'm not really interested in an argument, I just wanted to help people understand the problem. Serving files from another domain may protect the first, but it doesn't protect the second. I apologize if I offended you. Cheers.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

File upload not working with $_FILES
Image upload storage strategies
AJAX/PHP based upload with progress bar for large files
Laravel: The file was not uploaded due to an unknown error
PHP Passing $_FILES and $_POST as parameters to function
ftp_login expects parameter 1 to be a resource
PHP $_FILES multiple file uploading problem
CodeIgniter From Post Data Not Going through
PHP File Upload / move_uploaded_file Not Working
How to upload a file via ftp in PHP?