May 20th, 2004 06:58 PM
PHP 4.3.2 File Upload Protection
Recently, I have became involved in PHP/MySQL web development. I have decided to take on a small project to better my understaning of the subject by programming a threaded discussion forum. I am designing it to be simple, with relatively few features, but there is one feature I would like to include. This is to have a user be able to upload an avatar via HTTP Uploading. My question here is wouldn't a file upload script be vulnerable to injection based attacks? Wouldn't something like that allow execution of php or html code? Even injecting MySQL commands into the upload field? Are there any techniques available to stop malicous use of this kind of script? If so, I'd appreciate any replies. I have found a few articles on this on multiple search engines, but nothing as detailed as I am looking for.
May 20th, 2004 09:40 PM
Well I thought it would be a simple act of checking the data before submitting it... maybe a select case? You could check if it's html or sql code... look for keywords. it's not supposed to be text anyways so you could prob check for that and deny it. If this isnt correct then my understanding is flawed but I would think that would work - I do know about php and mysql but I have not done anything to that extent. So my advice may not work but it does sound good :-)
May 21st, 2004 01:35 AM
If you watch your code (mysql_escape_string(), htmlentities(), etc) you should be OK. But dont forget to check file types in your upload script and make it upload to a directory that is outside of $_SERVER['DOCUMENT_ROOT'], check it, then move to normal avatar directory, that way, if someone does manage to upload something malicious it will at least be checked before it gets moved to a publicly accessable directory.