I have asked this question twice i think, but this is the first time i have gotten close to this. I am planning on allowing users to upload and download their files (.pdf, .doc, .exl, .ppt, .png, .jpg, .gif). Will these tips be suffice: http://blogs.sans.org/appsecstreetfighter/2009/12/28/8-basic-rules-to-implement-secure-file-uploads/ Also, is there a script I can utilize, i am new to php.

a late response, but i think your script should be based on this: http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/ it covers all aspects of security and explains all valid points. I hope this helps. EDIT: The above link is dead, here is a cached version of that article.

For Future readers, who are also new to php: Before reading the guide mentioned in Ricki's answer at https://stackoverflow.com/a/7065880/1815624, which mentions a good guide and is defiantly a recommended read I would advise to read this answer first: https://security.stackexchange.com/a/32853/31943 then read the guide mentioned by Ricki at: http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/ After all that if you need further security, you should consider disconnecting from the internet. :P

There is a million of file uploading scripts out there. This one is not worse than the others. Although the "protection" from uploading files other than pngs will not work (it only checks the name of the file). Uploading files is quite safe - it's giving others the chance of downloading them that opens your server to certain types of attacks. The article you referenced does not mention two important points: <ul> <li> never serve any user provided files from the same domain as your webpage. Have a separate domain for downloads. This way even if someone manages to upload a flash animation or a piece of HTML, your domain will not suffer from cross domain attack (eg if your application has a domain of example.org, you should serve user content from, say, downloads.example.com);</li> <li>always serve uploaded files with well controlled headers.</li> </ul>

Secure PHP File Upload Script

I have asked this question twice i think, but this is the first time i have gotten close to this. I am planning on allowing users to upload and download their files (.pdf, .doc, .exl, .ppt, .png, .jpg, .gif).

Will these tips be suffice:

http://blogs.sans.org/appsecstreetfighter/2009/12/28/8-basic-rules-to-implement-secure-file-uploads/

Also, is there a script I can utilize, i am new to php.

What is file handling in PHP write a PHP script to upload a file?

Creating an upload script $_FILES['file']['tmp_name'] − the uploaded file in the temporary directory on the web server. $_FILES['file']['name'] − the actual name of the uploaded file. $_FILES['file']['size'] − the size in bytes of the uploaded file. $_FILES['file']['type'] − the MIME type of the uploaded file.

How can I upload audio and video in PHP?

<form enctype="multipart/form-data" action="sound_action. php" method="POST"> <input type="hidden" name="MAX_FILE_SIZE"/> Choose a file to upload: <input name="file" type="file" /> <input type="submit" value="Upload File" /> </form> <?

a late response, but i think your script should be based on this: http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/

it covers all aspects of security and explains all valid points. I hope this helps.

EDIT: The above link is dead, here is a cached version of that article.

For Future readers, who are also new to php:

Before reading the guide mentioned in Ricki's answer at https://stackoverflow.com/a/7065880/1815624, which mentions a good guide and is defiantly a recommended read I would advise to read this answer first:

https://security.stackexchange.com/a/32853/31943

then read the guide mentioned by Ricki at:

http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/

After all that if you need further security, you should consider disconnecting from the internet. :P

There is a million of file uploading scripts out there. This one is not worse than the others.

Although the "protection" from uploading files other than pngs will not work (it only checks the name of the file).

Uploading files is quite safe - it's giving others the chance of downloading them that opens your server to certain types of attacks. The article you referenced does not mention two important points:

never serve any user provided files from the same domain as your webpage. Have a separate domain for downloads. This way even if someone manages to upload a flash animation or a piece of HTML, your domain will not suffer from cross domain attack (eg if your application has a domain of example.org, you should serve user content from, say, downloads.example.com);
always serve uploaded files with well controlled headers.

Secure PHP File Upload Script

Tags:

file

forms

php

upload

storage

AAA

People also ask

3 Answers

Ricki

CrandellWS

fdreger

Recent Activity

Donate For Us

Secure PHP File Upload Script

Tags:

file

forms

php

upload

storage

AAA

People also ask

3 Answers

Ricki

CrandellWS

fdreger

Related questions

Recent Activity

Donate For Us