Accessory in file upload

By admin at 25 July, 2008, 10:33 am

Before allowing to upload file, you make like your users to check and secure the file.You may like to check extension and allow particular file (eg.image file only), check size, and others.So, I am listing some accessory which you may wish to have.

[ function checking extension of the file ]

You can check the mime-type and file extension and only allow certain types to be uploaded.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
<?php
 
//returns the extension of the file 
//Usage :: if index.HTML then returns .HTML
 
function get_extension($str){
 
	$i = strrpos($str,".");
	if (!$i) { 
	     return ""; 
	}
	$l = strlen($str) - $i;
	$ext = substr($str,$i+1,$l);
 
	return $ext;
 
}//end of function get Extension
 
?>

Now using this function you can check file extension before uploading file.
In case of picture file

1
2
3
4
5
6
7
8
9
<?php
 
if (($extension != "jpg")  && ($extension != "jpeg") && ($extension != "png") && ($extension != "gif"))	
{
	...
}else{
	...
}
?>

[ Disabling executing of these files could give us an extra layer of protection ]

Further if you are allowing your users only photos or pictures, you can restrict other files by placing the following code your your .htaccess file.

1
2
3
4
5
 
<Files ^(*.jpeg*.jpg*.png*.gif)>
order deny,allow
deny from all
</Files>

[ Black listing the extension you don't like to allow ]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
 
<?php
 
function black_list($blacklist,$file){
 
	//$blacklist = array("php", "phtml", "doc", "txt", "js", "shtml", "pl" ,"py");
	foreach ($blacklist as $file)
	{
	      if(preg_match("/$file\$/i", $file))
	     {
		$_SESSION['msg'] = "ERROR :: Uploading executable files Not Allowed\n";
		return $_SESSION['msg'];
		exit;
	    }
	}
}
 
?>

[ Disable Script Execution with .htaccess ]

Just create .htaccess file with contents below and place it on the uploads folder to disable running malicious scripts.

1
2
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI

[ Other part of security ]

The best way of handling file uploads securely is rather than giving writable permissions to users, is to allow the writable permission to apache itself. In this way the apache server has writable permission rather than the user. Just chown the writable folder to apache or nobody and assign 770 permission.

In this way the public has no access to read or write or execute permissions in the uploads folder. You will notice that apache has rwx and so as the owner. You can safely place the upload folder inside www folder without any concern.

1
2
chown -R apache uploads
chmod -R 770 uploads

If anybody tries to access the uploads folder, through URL you will see forbidden.Because apache is the grou owner you will have no problem in displaying the images or photos to the browser.

1
<img src="uploads/file02929.gif">

Note :: This method works best if you have your own dedicated or vps plan with root permissions.


Spread the Words!




No comments yet.

Sorry, the comment form is closed at this time.