Secure PHP File Upload Script

Question

I have asked this question twice i think, but this is the first time i have gotten close to this. I am planning on allowing users to upload and download their files (.pdf, .doc, .exl, .ppt, .png, .jpg, .gif).

Will these tips be suffice:

http://blogs.sans.org/appsecstreetfighter/2009/12/28/8-basic-rules-to-implement-secure-file-uploads/

Also, is there a script I can utilize, i am new to php.

Answer 1

a late response, but i think your script should be based on this: http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/

it covers all aspects of security and explains all valid points. I hope this helps.

EDIT: The above link is dead, here is a cached version of that article.

Answer 2

For Future readers, who are also new to php:

Before reading the guide mentioned in Ricki's answer at https://stackoverflow.com/a/7065880/1815624, which mentions a good guide and is defiantly a recommended read I would advise to read this answer first:

https://security.stackexchange.com/a/32853/31943

then read the guide mentioned by Ricki at:

http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/

After all that if you need further security, you should consider disconnecting from the internet. :P

Answer 3

There is a million of file uploading scripts out there. This one is not worse than the others.

Although the "protection" from uploading files other than pngs will not work (it only checks the name of the file).

Uploading files is quite safe - it's giving others the chance of downloading them that opens your server to certain types of attacks. The article you referenced does not mention two important points:

• never serve any user provided files from the same domain as your webpage. Have a separate domain for downloads. This way even if someone manages to upload a flash animation or a piece of HTML, your domain will not suffer from cross domain attack (eg if your application has a domain of example.org, you should serve user content from, say, downloads.example.com);
• always serve uploaded files with well controlled headers.