| View previous topic :: View next topic |
| Author |
Message |
karl92
-
Joined: 29 Jan 2008
Posts: 2
|
 Posted: Thu Feb 28, 2008 5:49 pm Post subject: Uploading files to server |
 |
|
| Hey all, i know im probly in the wrong place to be asking this but its always worth a shot. i want to add an upload form to my website which is hosted by abyss webserver. basicaly i want to allow people to upload pictured onto my server/pc from the internet. could any body tell me how to go about this please? cheers |
|
| Back to top |
    |
 |
pkSML
-
Joined: 29 May 2006
Posts: 952
Location: Michigan, USA
|
|
| Back to top |
 |
|
Toasty
-
Joined: 21 Feb 2008
Posts: 298
Location: Chicago, IL
|
| Posted: Sat Mar 01, 2008 2:17 am Post subject: |
|
|
On my server, I run a strip_tag over the files uploaded (some pictures won't work because of this)...But this will go a long way in preventing C99 scripts (external shells) from getting uploaded.
_________________
Audit the secure configuration of your server headers! |
|
| Back to top |
|
|
rrinc
-
Joined: 24 Feb 2006
Posts: 725
Location: Arkansas, USA
|
| Posted: Sat Mar 01, 2008 2:38 am Post subject: |
|
|
I can't see any problems with that. It should work to prevent PHP scripts and such.
_________________
-Blake | New Server :D
SaveTheInternet
Soy hispanohablante. Puedes contactarme por mensajes privados. |
|
| Back to top |
 |
|
pkSML
-
Joined: 29 May 2006
Posts: 952
Location: Michigan, USA
|
| Posted: Sat Mar 01, 2008 3:44 pm Post subject: |
|
|
| Toasty wrote: | | On my server, I run a strip_tag over the files uploaded (some pictures won't work because of this)...But this will go a long way in preventing C99 scripts (external shells) from getting uploaded. |
I wonder if you could use preg_replace_all instead of strip_tags and take out all occurrences of the following from the uploaded image:
<?
<javascript
<object
<applet
That should cover all your bases. (No guarantees, though.)
--------------------------------
Another idea: let users upload their pics to a directory outside of the docroot. Don't fiddle with their upload. Then have PHP access the pic and perform the strip_tags in real-time before spitting the image out.
This would enable you to check them manually for those pictures that won't work for you right now.
_________________
Stephen
Need a LitlURL?
http://CodeBin.yi.org |
|
| Back to top |
|
|
Toasty
-
Joined: 21 Feb 2008
Posts: 298
Location: Chicago, IL
|
| Posted: Sun Mar 02, 2008 9:11 am Post subject: |
|
|
| ^Him^ wrote: | | Another idea: let users upload their pics to a directory outside of the docroot. Don't fiddle with their upload. Then have PHP access the pic and perform the strip_tags in real-time before spitting the image out. |
That's exactly what I do...
Example:
$x = file_get_contents("file.png");
$x = strip_tags($x);
echo header("IMAGE/PNG"); // I think this is what it is
echo $x;
As for the preg_replace...I haven't tried it, but I am a little worried about an attack like this:
As you can see, it would remove the middle tag in the process, and then create the previously broken tag into a tag.
I feel strip_tags is the safest. I'm sure there's better ways to do it, but seeing as my site uses that script for simple avatar uploads, I don't think it's a huge threat when an avatar doesn't work because strip_tags corrupted something within the image.
_________________
Audit the secure configuration of your server headers! |
|
| Back to top |
|
|
|
