Geek asks and answers

Protecting Files on a PHP Website

I have a website that accepts files uploaded by the user (images, pdfs, word docs, etc.) and then allows other users to upload them.

I understand that this poses a security risk, because attackers can download scripts, etc. that are disguised as useful files.

My question is, is it enough to check the mime type of the downloaded file using PHP (mime_content_type or finfo) and set the read-only file (non-executable) or should I also save the downloaded files in a directory that is outside the web root? I would think that this would eliminate most of the risk from the downloaded file, but I'm not sure. Performing a virus scan in the downloaded files is not possible in this situation.

Thanks for the input.

+3
source share
3 answers

It is common practice to upload files beyond the root of the document and, as a rule, use randomized file names, which are then mapped to the correct item / object / message in the database. If additional permissions are required to access the files, make sure that you check them before downloading is allowed, and, of course, you will only download authenticated users.

Fileinfo finfo_ mimety, , , -, ".txt", , , ".jpg" jpeg based . , MSMMype-, , -msword. , , (xls, ppt, doc ..).

PHP , -, . mime , .

header("Content-type: application-whatever");
header("Content-length: size-of-the-file-in-bytes");
+1

mime , . .gif id3, php, include. - long blob. - .

, no-sql, CouchDB.

, , $_FILES[]. $_FILES['type'] , , . $_FILES['name'] , ../../../. , (, mysql).

+1

I can recommend you use every tool at your disposal to check the file type. But be aware that there are other ways a hacker can inject a dangerous file.

It is best if the files are uploaded to another server . One that can only contain files.

+1
source

More articles:


All Articles