#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    5
    Rep Power
    0

    User file Uploads to my site


    I'm building a site with PHP. I'm going to allow my users to upload files and view them. What precautions should I be taking so that I can't get burned by someone uploading something that could hurt the server or may allow hacking of some kind. Let me know if this is the wrong forum to ask this question. I was having trouble trying to determine the best forum to use.
  2. #2
  3. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,143
    Rep Power
    9398
    Upload what kind of files? Can anonymous users upload or access them?
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    5
    Rep Power
    0
    The plan is to use a regular post HTML form to accept the file. The post process will move the file to a specific directory. Another page will allow viewing the file through a link. Technically the user will be uploading anything from pictures to Office documents and text documents. I don't know if I can actually stop them from uploading any type of file they want. I could try and check the extension or type, but that's not always going to protect me. The real question I guess is can they upload a file and execute it somehow if I'm controlling the upload and giving them a link to view it?
  6. #4
  7. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    5
    Rep Power
    0
    I forgot to add. The user that can upload a file is controlled by me and must be logged in to be able to upload a file. Not just anyone can do it.
  8. #5
  9. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,317
    Rep Power
    7170
    If you need to allow the upload of arbitrary file types then you cannot allow direct access to the uploaded files. They need to be stored outside of the web root or inside a directory that cannot be accessed from the web. To serve the files for download, you need to implement a PHP script using something like readfile to send down the file to the user.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  10. #6
  11. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Posts
    5
    Rep Power
    0
    Will this work for any type of file like images, PDF, and MS Office documents like Word or Excel?

IMN logo majestic logo threadwatch logo seochat tools logo