Studyon Minte9.com
ZCE 5.3

Study

File uploads & Shell



	// Restrict file types (pathinfo) | is|move _uploaded_file() 
	// Rename files (uniqid)
	// Login and Moderate
	// Shell | no system | escapeshellargs|cmd()

When you allow users to upload files to your website, you are putting yourself at a security risk. While 
nobody is ever completely safe, here are some precautions you can incorporate to make your site safer.

* Check the referrer: Check to make sure that the information being sent to your script is from your 
  website. While this information can be faked, it's still a good idea to check.

* Restrict file types: You can check the mime-type and file extension and only allow certain types to 
  be uploaded.

<form enctype="multipart/form-data" method="post"> <input type="hidden" name="MAX_FILE_SIZE" value="1000000" /> Choose a file to upload: <input name="uploaded_file" type="file" /> <input type="submit" value="Upload" /> </form> <?php // Check that we have a file if (!empty($_FILES['uploaded_file']) && $_FILES['uploaded_file']['error'] == 0) { // Check if the file is a type permited $filename = basename($_FILES['uploaded_file']['name']); $pathinfo = pathinfo($filename); $extension = $pathinfo['extension']; if (!in_array($extension, array('jpg', 'jpeg', 'gif', 'bmp'))) { echo 'File type not permitted'; } } ?>
  * Rename files: You can rename the files that are uploaded.
<?php if (!empty($_FILES['uploaded_file']) && $_FILES['uploaded_file']['error'] == 0) { $filename = basename($_FILES['uploaded_file']['name']); echo $new_filename = uniqid() . "_" . $filename; // 502913f491ac3_Chrysanthemum.jpg }
* Change permissions: Change the permissions on the upload folder so that files within it are not executable. * Login and Moderate: Making your users login might deter some deviant behavior. Shell system() - Do not user system() escapeshellargs() - Use to escape arguments escapeshellcmd() - Use to escape commands Email Do not provide open relays Open the SMTP port only if essential Delay incomming connections


http://php.about.com/od/advancedphp/qt/upload_security.htm