This topic is locked

File upload and security

11/10/2011 5:47:48 AM
PHPRunner General questions
M
mickna author

Hi there,
I am considering to change the upload location for images from MySql Blob to files.

Now I am thinking about security:
I can upload images and display them - fine.

But I can also upload a php file...

How can I check if the uploaded file is an image (jpg, png, gif) to prevent a script kiddie to upload a php shell or similar?

Or is it enough to check the suffix (and therefore is it not possible to call a php script somehow, if it is renamed from .php to .jpg to bypass the simple suffix control?)
Thanks,

mickna

M
mickna author 11/10/2011

Just testing.

I think this would do the job to check the file type:

$_FILES['thefile']['type']

Admin 11/10/2011

You can check the upload file extension and reject everything but image files:

http://xlinesoft.com/phprunner/docs/check_size_and_extension_of_uploadfiles.htm

Even if PHP file is renamed to .jpg it won't be executed.
Another and better option is to choose upload folder located outside of your website root directory. This way upload files won't be accessible directly and no uploaded script can be executed.
Probably you can combine both methods for tighter security.

M
mickna author 11/10/2011

"combine both methods"
Yes! I think this is what I will do.
thank you!

mickna