PHP Security: File Upload

Posted by: Admin  :  Category: Web Hosting Tutorials

Linux Cpanel shared hosting: 600 GB disk space, 6 TB bandwidth, free domain, unlimited databases and ftp accounts, web hosting cheap and pro at Hostony

Linux Cpanel shared hosting: 600 GB disk space, 6 TB bandwidth, free domain, unlimited databases and ftp accounts, web hosting cheap and pro at Hostony

WEBSITE: betterphp.co.uk In this video I mention a very common security issue with file uploads and tell you about a secure way you can prevent bad files being uploaded. To give an idea of how common this problem is if you google “free image hosting” 3 of the sites on the first 4 pages have this issue !
Video Rating: 4 / 5

Linux Cpanel shared hosting: 600 GB disk space, 6 TB bandwidth, free domain, unlimited databases and ftp accounts, web hosting cheap and pro at Hostony

15 Responses to “PHP Security: File Upload”

  1. vulturinegears Says:

    Yeah, your tut’s are great man. SO glad I found you! <3

  2. betterphp Says:

    Why would the name of an image ever go into a script tag ?

  3. rudxai Says:

    True but It’s still dangerous. Consider the following code in a simple html page (propable xss vulnerable) where you include a javascript link:
    “script src=”test.png”>/script”
    where test.png is actually test.js renamed (with a simple alert(); inside).
    The script will run.

  4. betterphp Says:

    The server would not process a .png file as a .php file though.

  5. rudxai Says:

    The code is still vulnerable.I could just rename my bad upload with an ‘allowed’ extension and upload it without a problem.
    What you should really check is the mime data inside the file to figure out if it’s actually an image.

  6. ProudByte Says:

    I like you videos but, please for god sake’s stop saying “ham”! I’m hungry man!

  7. jupitershanestap Says:

    @betterphp yup you right.

  8. betterphp Says:

    no you shouldn’t because the move_uploaded_file function does this check. that function you mention should only be used if you want to read the temp file directly.

  9. jupitershanestap Says:

    You should also check if file stored in the tmp folder was actually uploaded using is_uploaded_file

  10. betterphp Says:

    Glad you like it 😉

  11. AMM686 Says:

    Thanx useful tut…

  12. RawRzCopteR Says:

    yea yea, i know what you meant 😛

  13. betterphp Says:

    that’s what I meant 🙂 it would make very little sense for them to be the actual array keys.

  14. RawRzCopteR Says:

    8:36 – depreciated lol – deprecated… no offense :p

  15. RawRzCopteR Says:

    the explode – the test string becomes the value not the key in the array

Leave a Reply

*