3

I have a script that upload files to my server here is my code

When a user uploads a file to the server

  1. My script renames the file and save the details in db.

  2. I place files outside of web root.

so is my approach safe?

Improve this question
2
  • Please dont use mysql_* function those are deprricated check this meta.stackexchange.com/a/171640/176320 Commented Mar 16, 2013 at 5:10
  • @ranjith can you post that peace of code so I can work with it? because it is working fine for me. Commented Mar 16, 2013 at 7:14

2 Answers 2

Reset to default
1

You should do further input validation on your file, like:

  • check the file size

  • check the file type with a "File Type Recogniser"

  • check content header

You can also check best practices for file uploads here: https://www.owasp.org/index.php/Unrestricted_File_Upload

Never run the file on your server.

to check content type (i've never done this myself btw) you can try soemthing like:

$file = "path2file";
$finfo = new finfo(FILEINFO_MIME);
$type = $finfo->file($file);
if(in_array($type,array("application/zip", "application/x-zip", .. whatever content types are ok...)))
  //you passed
Improve this answer
Sign up to request clarification or add additional context in comments.

15 Comments

please see this it already checks the extension $ext = explode('.', $files['name'][$i]); $ext = strtolower(end($ext)); then I also check the files mime type I store that data in db.
Can you show me example for content header? so I can implement it
@Danish :but this is not the right way to check the file extension. cause a filename can have more than one dots . like this new.image.jpg || new.image.png . For that, you can go for built in function of pathinfo($filename), it will be safe one.
@Tucker : I hav one doubt. I upload my all files inside of project dir. is it secure one?
the file security depends on how it's accessed and what you need security wise- the file will likely do no hard if it simply sits there unread by the web application :-) that is until you run out of space!
|
1

Yes, your approach is safe. because all files will upload outside of web root. no one can access it directly via URL.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.