Re: sanitizing uploaded data with a form
- From: Tim Greer <tim@xxxxxxxxxxxxx>
- Date: Tue, 14 Oct 2008 15:11:33 -0700
NN wrote:
I have a form that i'll be using to upload images to my server. i'm
concerned about the possibility of entering wrong data into my
database (mysql) or the user choosing a file name not compatible with
Linux/apache.
i'm escaping quotes for the database, but i wasn't sure what other
precautions i should take as far as the file name is concerned (which
i'd like to keep intact if possible).
i'm already filtering the mime types this way:
$allowedFileTypes = array("image/gif", "image/jpeg", "image/pjpeg");
if (!in_array($_FILES['data']['type'], $allowedFileTypes)) {
die("ERROR: File type not permitted");
}
thank you very much for your help,
NN
Checking the headers of the file itself are always a good idea. There
are really no file names that aren't compatible, but that's a long
discussion to get into. Check the file name and file extension, ensure
they can only use alphanumeric charcaters and a dot + file extension.
You can always (and probably should) rename their file to some numeric
file name with the correct file extension. I.e., "this's my
wedding.jpg" to 01435664634.jpg (maybe by time and seconds), or
whatever you want. For their title/description, you can escape things
like new lines, single quotes, etc.
Anyway, be sure they can't start a file name with a . and that they
can't add non alphanumeric characters, such as / $, %, etc. It really
also depends if your script will try and interpret meta characters on
uploads or just displaying (which it shouldn't ever need to do or want
to do). If the script is to display them, and not display them
directly, you can remove web access to the files. You can deny
permission to view the files direct them, or put them outside of the
web root directory.
You should disallow execution on that directory of any files, especially
if it's directly web accessible, so someone can't upload a script,
especially someone else on the server, if you use a shared server and
the admins allow PHP scripts to all run as the same global web server
user (because that would open the likely potential that someone else on
the server could write a file in your directory and access it from your
web site, being in your web root). That can easily be overcome, but
it's something to consider if your web host runs PHP in the Apache API
without some wrapper to ensure that only scripts owned by your user can
run in your account and that you don't have to allow world writable
permissions, for example. There might be more to this and other
suggestions, but it depends on your environment and how things are
configured, including, of course, the PHP upload script itself.
Measures always need to be taken to ensure abuse can't happen, but it
can be done safely.
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!
.
- Follow-Ups:
- References:
- sanitizing uploaded data with a form
- From: NN
- sanitizing uploaded data with a form
- Prev by Date: Re: sanitizing uploaded data with a form
- Next by Date: Re: Managing objects
- Previous by thread: Re: sanitizing uploaded data with a form
- Next by thread: Re: sanitizing uploaded data with a form
- Index(es):
Relevant Pages
|
