|
PHP - Risks Of Allowing Users To Upload Files To The Server
My server is Linux/Apache/PHP.
When a file is uploaded, I use PHP's finfo_open to confirm that the file have the correct file extension matches and delete them if it doesn't match. I also which file mimi types and size could be uploaded.
Things I do with the files include:
Upload user's files and store them in some public directory (/var/www/html/users_public_directory/), and allow other users to directly download them.
Upload user's files and store them in some private directory (/var/www/users_private_directory/), and allow other users to download them using X-Sendfile.
Upload user's ZIP files and convert them to PDF files (unzip the ZIP file, and uses Libreoffice and Imagemagick's convert to convert them to PDFs).
From the server's prospective, what are the risks of allowing users to upload files? Are there some file types which are more dangerous to the server? Could they be executed on the server, and if so, how could this be prevented?
Similar TutorialsI have code written for image uploading, but it doesn't allow multiple images on a single upload, and doesn't re-size. Anyone willing to share a good upload script that will do the following?: -Allow multiple image uploads (10+ per submission), -Re-size images on upload, and -Rename images. Thanks Brett There are websites like Soundcloud, Soundclick, MySpace and more.
The Question:
How to not get a law suite as a website owner when copyright protected music or in other words music from the retail has gotten uploaded?
Will moderating it and having it frequently taken down do the job?
I know that the users themselves could get researched too. The site owner could get requested to give out IP addresses. Though, I kept this separately from that question.
I basically would be looking to be safe and not get a law suite.
I would appreciate the suggestions a lot.
Hi all
I am building a tinymce image management plugin for a group
I'm trying to minimize the risks as much as possible with their current setup- No database, no access outside their folder etc...
But reading through the different topics I read a few posts about scripts being added inside the images that can be executed once the images is called.
Now, my "Hacking skills" must not be up to par because I tried doing this on my own just to test and I cant seem to make it work..
so my question is
Will uploading and resizing the image with imagecopyresampled or something reduce/remove the threat?
Not exactly sure how the "malicious" scripts are carried and then executed.
Thanks for any info you may be able to provide.
(I have read alot of threads in the forum on upload security and seems there are a few different thoughts that differ - so Im not trying to start a debate on that! just curious about the "Hidden File" issue)
Hi, ive recently created a gallery website and im happy with the way everything currently works. However the main drawback is the site uploads using a html webfom which is great for remote users or the odd image. However, as i want to mass upload my existing collection i will need the ability to read a selected folder and then to carry out all the same processes that existed from the existing html form upload. Im also using gdlibrary and checking file types to ensure they are within my allowed list, but im wondering if there are any other common security alerts i should be aware of to keep things a little bit safer if/when i publish outside of my LAN. So in a nut shell i need some assistance with changing my upload process to work for more than one file at a time, ideally by reading a folder, or at least reading X amount of files at a time - processing them then moving onto next batch of files in the list. Then the next part i need help with is checking/improving basic security of the system
i have php at server side and c++ at client side.what i am trying to do is to constantly look for files on server in folder on server if there’s a file in folder then download it on client side and delete it from server folder hi i was wondering how i would make a website that allowed a user to login and edit there website ... like im a hoster and they can have a webpage on my server... how would i do this? allow them to create a database , and use all types of code? please help me this is important , if i didnt explain good enough please tell me Hi folks, I'm curious if I can for example, save a file from my server and it will save to all other servers - obviously if they accepted the connection first. It's for a software I developed and is almost complete and know there will be frequent updates to it. Instead of users downloading upates, I want the update files from my server to somehow synchronize to their server automatically? Anything called this?? Thanks for info. So far I have managed to create an upload process which uploads a picture, updates the database on file location and then tries to upload the db a 2nd time to update the Thumbnails file location (i tried updating the thumbnails location in one go and for some reason this causes failure) But the main problem is that it doesn't upload some files Here is my upload.php
<?php
include 'dbconnect.php';
$statusMsg = '';
$Title = $conn -> real_escape_string($_POST['Title']) ;
$BodyText = $conn -> real_escape_string($_POST['ThreadBody']) ;
// File upload path
$targetDir = "upload/";
$fileName = basename($_FILES["file"]["name"]);
$targetFilePath = $targetDir . $fileName;
$fileType = pathinfo($targetFilePath,PATHINFO_EXTENSION);
$Thumbnail = "upload/Thumbnails/'$fileName'";
if(isset($_POST["submit"]) && !empty($_FILES["file"]["name"])){
// Allow certain file formats
$allowTypes = array('jpg','png','jpeg','gif','pdf', "webm", "mp4");
if(in_array($fileType, $allowTypes)){
// Upload file to server
if(move_uploaded_file($_FILES["file"]["tmp_name"], $targetFilePath)){
// Insert image file name into database
$insert = $conn->query("INSERT into Threads (Title, ThreadBody, filename) VALUES ('$Title', '$BodyText', '$fileName')");
if($insert){
$statusMsg = "The file ".$fileName. " has been uploaded successfully.";
$targetFilePathArg = escapeshellarg($targetFilePath);
$output=null;
$retval=null;
//exec("convert $targetFilePathArg -resize 300x200 ./upload/Thumbnails/'$fileName'", $output, $retval);
exec("convert $targetFilePathArg -resize 200x200 $Thumbnail", $output, $retval);
echo "REturned with status $retval and output:\n" ;
if ($retval == null) {
echo "Retval is null\n" ;
echo "Thumbnail equals $Thumbnail\n" ;
}
}else{
$statusMsg = "File upload failed, please try again.";
}
}else{
$statusMsg = "Sorry, there was an error uploading your file.";
}
}else{
$statusMsg = 'Sorry, only JPG, JPEG, PNG, GIF, mp4, webm & PDF files are allowed to upload.';
}
}else{
$statusMsg = 'Please select a file to upload.';
}
//Update SQL db by setting the thumbnail column to equal $Thumbnail
$update = $conn->query("update Threads set thumbnail = '$Thumbnail' where filename = '$fileName'");
if($update){
$statusMsg = "Updated the thumbnail to sql correctly.";
echo $statusMsg ; }
else
{ echo "\n Failed to update Thumbnail. Thumbnail equals $Thumbnail" ; }
// Display status message
echo $statusMsg;
?>
And this does work on most files however it is not working on a 9.9mb png file which is named "test.png" I tested on another 3.3 mb gif file and that failed too? For some reason it returns the following Updated the thumbnail to sql correctly.Updated the thumbnail to sql correctly. Whereas on the files it works on it returns REturned with status 0 and output: Retval is null Thumbnail equals upload/Thumbnails/'rainbow-trh-stache.gif' Failed to update Thumbnail. Thumbnail equals upload/Thumbnails/'rainbow-trh-stache.gif'The file rainbow-trh-stache.gif has been uploaded successfully. Any idea on why this is? I havent included the whole title as it wouldnt let me but I was wondering if someone could help me on this? I know this is possible as torrentflux caters for this but unsure of where to start. I dont want to allow file or directory uploads or creation in my /etc/php.ini file (this is turned off). Yet then torrentflux allows me to link a torrent from an external source (using legal downloads of course ) but then it uploads it on my server and creates folders on a per user basis. How is this possible can someone give me some pointers please? I look forward to any replies, Jeremy. What I'm trying to do is copy all files from one server to another folder on another server. Here is what I have have so far.. <?PHP //connection settings $ftp_server = "server"; $ftp_user_name = "user"; $ftp_user_pass = "pass"; $dir = "/var/test/"; $destination_file = "/test/"; // set up basic connection $conn_id = ftp_connect($ftp_server); // login with username and password $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass); // check connection if ((!$conn_id) || (!$login_result)) { echo "FTP connection has failed!"; echo "Attempted to connect to $ftp_server for user $ftp_user_name"; exit; } else { echo "Connected to $ftp_server, for user $ftp_user_name"; } if (ftp_chdir($conn_id, $dir)) { echo " <br/>Current directory is now: " . ftp_pwd($conn_id) . "\n<p/>"; } else { echo "Couldn't change directory\n<p/>"; } $buff = ftp_rawlist($conn_id, $dir); foreach($buff as $files) { echo $files. "<br/>"; if (ftp_get($conn_id, $destination_file."test.file", $dir."test.txt", FTP_BINARY)) { echo "<br/>Successfully written to $destination_file\n"; } else { echo "There was a problem\n"; } ?> That doesn't work. Any ideas? Thanks, Sean Hi I am creating an e-commerce website, where users who pay with their credit card are able to download pdf books. how can I make a PDF file only accessible for those users (who pay and validate their credit card) and not for everyone ? I want to know the main idea about securing these files. I have a bunch of users in a database (id, name, etc).
I have a bunch of documents which belong to users (id, filename, users_id, etc), and expect 500 or less per user.
The documents will be renamed to the document_id, and X-Sendfile (since they are stored under the document root) will be used to retrieve them and a header will be used to return them to their original name.
Is it recommended to make a separate folder for each user and store each individual user's documents in that folder, or create one folder for all documents?
If I go with the one folder approach, I will need some method from keeping the total files per folder below some reasonable limit (1,000?). My thought is to estimate the maximum potential number of folders, and creating subfolders under the main document folder. I will likely hash the ID, and use the first character to create the first subfolder, the second character to create a second subfolder in the first subfolder, and continue as long as needed to accommodate the maximum potential documents (if there are 1,000,000 potential folders, then three levels will keep the maximum per folder under 244).
Please provide rational for one approach over the other.
Thank you
I want people to be able to post images on to my page but i want them to be able to add a caption when they post their image
This is the format I want the image and caption to be posted like
<div class="spacer"> </div>
<div class="jokestary-img" title="Siri will screw up your relationship">
<img src="uploads/Siri will screw up your relationship.jpg" />
<div class="caption"><div>Siri will screw up your relationship.</div></div></div>
The code for the upload form also wont work
The page says "Upload complete!" before i even choose a file and doesnt send to my database
?php
// properties of the uploaded file
$name = $_FILES ["myfile"] ["name"];
$type = $_FILES ["myfile"] ["type"];
$size = $_FILES ["myfile"] ["size"];
$temp = $_FILES ["myfile"] ["tmp_name"];
$error= $_FILES ["myfile"] ["error"];
if ($error > 0)
die ("Error uploading file! code $error.");
else
{
if ($type== "video/av/png || $size 1000000") //conditions for file
{
die("That format is not allowed or file size too big");
}
else
move_uploaded_file($temp,"uploads/".$name);
echo "Upload complete!";
}
?>
hi... I have a site that allows user to download some files. at present if i type http://www.abc.com/files/xyz.zip it allows all the users to access and download files. I want only the login users can access these files....... pls help how to do this. thanks in advance These are the specs that come to mind, CPU, RAM, Storage, Bandwith
My question is this, once you know what the point of a website is, whether it is to host videos, design something with an editor, ecommerce, if I ask a costumer "How many people do you expect to be on your site?"
Is that a fair question? Or is that arbitrary or even rhetorical like "Duh... the maximum count"
I want to know based on what is being accessed whether it is the photos displayed on page, character count, flash / javascript, whatever... how can I estimate?
This is for assigning VPS's depending on the clients requirement
This topic has been moved to Miscellaneous. http://www.phpfreaks.com/forums/index.php?topic=341970.0 Hi, I'm pretty new to this, so apologies if there's some simple solution/misunderstanding. It seems to me that when the user uploads a file, PHP pulls in the file into the temporary directory and then you can query it using the $_FILES array. Assuming I am correct so far, I have two questions: 1. Is there anyway to prevent the upload to the temporary folder based on file size? Seems to me a good way to overload a server to upload 10GB files, even if they are picked up as "errors" and deleted from the temp folder. 2. How long do files stay in the temporary folder? Does PHP delete them automatically, and if so, when? Thanks. I recently wrote a web app made with flash that communicates with php scripts on my web server(apache2). Like most others, I believe my web app is the end all be all and could potentially attract millions of users Ok, long story short, in the long haul, there will be people using robots to communicate with my php scripts to do tasks that are in the game in order to cheat. I'd like to limit these users from hammering the server with robotic requests. I no for a fact that no human will make requests to my game more than once per two seconds or so. So is it best for me to somehow do this type of code with php? or maybe at the apache level somehow? My flash application can detect http error status codes for each request so if any solution would cause a non standard 200, that is fine, i should be able to detect the code, and wait a couple seconds on the flash client, then do a retry hopefully I'm lost on this one and would appreciate some help Hey All, First post so please be gentle! I have a website www.antiquesattic.co.uk and i have been left in the lurch and without it being fully finished. I want to add google analytics code to everypage and i am a bit stuck. I have access to the server (apache 2.2.19) and have been able to add site maps etc but i am not sure where to paste the analytics code. Which folder would i look in and whereabouts do i paste. I would be extremely extremely grateful if someone could do me a quick step by step guide Also, if you would like to have a look at the website and give me some feedback that would be great! One final thing, i can't add content to the homepage just auctions, would it be a easy job to get some one to edit the site so i can add say 1000 words of text at the bottom of the homepage from my admin area? Apologies for the noob questions but my expertise is in sales and marketing not coding. Thanks Chris Good day: I have a simple uploader form to upload video files. FLV and mpg files will upload without problems. But mp4, m4v, ogg and webm files will not upload. I get this error: Warning: copy() [function.copy]: Unable to access in /mounted-storage/home7/sub007/sc30390-PTUD/**********.com/admin123/insertvideo.php on line 32 Error Video not loaded. I have read about adding the files in config/mimes.php but I do not see that folder or files in my hosting service (which is servage). Any help will be appreciated. Thanks. |
|||||||