File upload and security

This topic is locked

File upload and security		11/10/2011 05:47:48
PHPRunner General questions
M mickna author Hi there, I am considering to change the upload location for images from MySql Blob to files. Now I am thinking about security: I can upload images and display them - fine. But I can also upload a php file... How can I check if the uploaded file is an image (jpg, png, gif) to prevent a script kiddie to upload a php shell or similar? Or is it enough to check the suffix (and therefore is it not possible to call a php script somehow, if it is renamed from .php to .jpg to bypass the simple suffix control?) Thanks, mickna

Mark as Solved Mark as not solved

3 replies


M	mickna author 11/10/2011
	Just testing. I think this would do the job to check the file type: $_FILES['thefile']['type']


	Sergey Kornilov admin 11/10/2011
	You can check the upload file extension and reject everything but image files: http://xlinesoft.com/phprunner/docs/check_size_and_extension_of_uploadfiles.htm Even if PHP file is renamed to .jpg it won't be executed. Another and better option is to choose upload folder located outside of your website root directory. This way upload files won't be accessible directly and no uploaded script can be executed. Probably you can combine both methods for tighter security.


M	mickna author 11/10/2011
	"combine both methods" Yes! I think this is what I will do. thank you! mickna

3 replies

Mark as Solved Reply