Results 1 to 3 of 3
  1. #1
    Join Date
    Feb 2004

    PHP 4.3.2 File Upload Protection

    Recently, I have became involved in PHP/MySQL web development. I have decided to take on a small project to better my understaning of the subject by programming a threaded discussion forum. I am designing it to be simple, with relatively few features, but there is one feature I would like to include. This is to have a user be able to upload an avatar via HTTP Uploading. My question here is wouldn't a file upload script be vulnerable to injection based attacks? Wouldn't something like that allow execution of php or html code? Even injecting MySQL commands into the upload field? Are there any techniques available to stop malicous use of this kind of script? If so, I'd appreciate any replies. I have found a few articles on this on multiple search engines, but nothing as detailed as I am looking for.
    MySig != Worth your time

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Well I thought it would be a simple act of checking the data before submitting it... maybe a select case? You could check if it's html or sql code... look for keywords. it's not supposed to be text anyways so you could prob check for that and deny it. If this isnt correct then my understanding is flawed but I would think that would work - I do know about php and mysql but I have not done anything to that extent. So my advice may not work but it does sound good :-)

  3. #3
    If you watch your code (mysql_escape_string(), htmlentities(), etc) you should be OK. But dont forget to check file types in your upload script and make it upload to a directory that is outside of $_SERVER['DOCUMENT_ROOT'], check it, then move to normal avatar directory, that way, if someone does manage to upload something malicious it will at least be checked before it gets moved to a publicly accessable directory.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.