File System Access and PHP Security
Allowing your users to upload files opens some security holes. Users can upload malicious files and make your site affected by Malware. How risky is this depends on how you implemented the feature, and the privileges that you have provided. One option can be check if the associated feature is really important or it is a feature just for the sake of a feature.
One option to prevent or minimize attack is: always specifically mention where the uploaded contents will go. Specify the upload folder specifically. When users upload files, check the name of the files as well. Are they trying to access a different location using relative parameters such as ../? Check the type of files they are trying to upload? is it an exe file? what about the size of the file? is the user trying to upload repeatedly?
is he a real human being? check the feature with Captcha.
Do not use relative paths in your code; also do not specify a file upload location using relative paths. Do not assume that only the folder under which the website resides is the only place to keep uploaded files. You can define another location from your code that is usually inaccessible from the users. Your root website folder is public and is not the best place to keep uploaded files.
Also, when you are opening a file do not use relative paths; try to know the exact location and filename; and work with the specific location and file name.
PHP by default allows remote file access which is a really bad idea. Unless you have a good reason to allow remote file access, turn it off. you can turn it off from php.ini file. To do that just disable allow_url_fopen
However, if you really need to allow using remote files, do not directly open/execute it. But do it in two steps, first retrieve the data and then process the data in the 2nd step. You can use FTP functionality to retrieve/upload first and then you can process it. From: http://sitestree.com/?p=193
Categories:Web Development
Tags:PHP Security, File Security, Malware
Post Data:2013-01-11 00:29:29
Shop Online: https://www.ShopForSoul.com/
(Big Data, Cloud, Security, Machine Learning): Courses: http://Training.SitesTree.com
In Bengali: http://Bangla.SaLearningSchool.com
http://SitesTree.com
8112223 Canada Inc./JustEtc: http://JustEtc.net (Software/Web/Mobile/Big-Data/Machine Learning)
Shop Online: https://www.ShopForSoul.com/
Medium: https://medium.com/@SayedAhmedCanada
