PHP File uploader

[DJMK4]

Im planning the development of a php file uploader that i can put on the admin page i have on my website, the uploader will be used by me only for uploading of files, especially since i want somewhere to host images and documents.

The admin page has a login script so only i have access to it.

Iv got a few tutorials on the web on how to do this, but i was wondering if there was any special security threats that i need to think about. Obviously things like maximum filesize, file extensions i have already thought about.

Thanks

 

[Dj_Jestar]

ensure the file name does not warp the location of the uploaded file. "hackers" may try to upload a file called "../../../../../../../../../../../../etc/passwd" and that will let them take over the machine.

To avoid this..

<?php

$upload_dir = '/var/www/hostname/uploadfiles';

if ($path = realpath($upload_dir . DIRECTORY_SEPARATOR . $_FILES['userfile']['name']))
{
    if (strpos($path, $upload_dir) !== 0) die('Illegal filename..');
}

?>

 

[Jaffa_Cake]

<?php

$upload_dir = '/var/www/hostname/uploadfiles';

if ($path = realpath($upload_dir . DIRECTORY_SEPARATOR . $_FILES['userfile']['name']))
{
    if (strpos($path, $upload_dir) !== 0) die('Illegal filename..');
}

?>

Ty Dj_Jestar for that snippet.

 

[DJMK4]

Excellent, ill include this piece of coding into my development plan.

 

[marc2003]

quick hijack from a php noob...

i recently made an image uploader after following a tutorial and i'm just using mysql_real_escape_string on the filename. is that plenty safe enough too....

$name = mysql_real_escape_string($_FILES['userfile']['name']);
if(move_uploaded_file($tmp_name, "files/".$name)) {
    mysql_query("INSERT INTO .........
}

 

[Jaffa_Cake]

mysql_real_escape_string makes input safe for SQL input. It adds slashes before ' for example.

I don't think it makes it safe.

In the past i always used "ereg_replace("[^A-Za-z0-9_]", "", $string);" for making sure that file names were safe.