Comments on: Implementing Secure File Upload in PHP http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/ Daily Blog from Internet Entrepreneur/Webmaster Sat, 20 Mar 2010 11:13:19 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: DJ http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-7059 DJ Tue, 23 Feb 2010 03:42:46 +0000 http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-7059 Thanks govna' that hit the spot Thanks govna’ that hit the spot

]]> By: Hitesh http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-4953 Hitesh Sun, 15 Nov 2009 11:47:50 +0000 http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-4953 Nice information.. really helpful. Well this can help you in secure file writing through ftp in php http://phpwala.wordpress.com/2009/11/15/how-to-write-file-though-ftp-in-php-without-777-permission/ Nice information.. really helpful.
Well this can help you in secure file writing through ftp in php
http://phpwala.wordpress.com/2009/11/15/how-to-write-file-though-ftp-in-php-without-777-permission/

]]> By: Su http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-3398 Su Thu, 16 Apr 2009 10:49:45 +0000 http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-3398 Thanks it was really a wonderful suggestion! Thanks it was really a wonderful suggestion!

]]> By: Patrik http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-3383 Patrik Fri, 10 Apr 2009 06:51:10 +0000 http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-3383 Thanks mate,this was exactly what I was looking for. Thanks mate,this was exactly what I was looking for.

]]> By: Kaushik http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-2997 Kaushik Tue, 03 Mar 2009 05:59:16 +0000 http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-2997 Hi there, awesome tips. Another layman query though, this is actually more wordpress specific, I use a shared host and have to necessarily give the 777 permission on uploads. the issue though is more of the ownership. I understand it is possible to do the chmod and chown commands through php itself, any light on this? the main issue for me is that my shared host assigns the username as user and group id, but when wordpress connects to the file it uses nobody i.e 99/99 . Any thoughts on if/how this can be controlled? Thanks in advance Hi there,
awesome tips. Another layman query though, this is actually more wordpress specific, I use a shared host and have to necessarily give the 777 permission on uploads. the issue though is more of the ownership. I understand it is possible to do the chmod and chown commands through php itself, any light on this? the main issue for me is that my shared host assigns the username as user and group id, but when wordpress connects to the file it uses nobody i.e 99/99 . Any thoughts on if/how this can be controlled? Thanks in advance

]]> By: JR http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-2962 JR Sun, 01 Mar 2009 10:37:10 +0000 http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-2962 Great script Thanks !! Great script Thanks !!

]]> By: Carol http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-2509 Carol Mon, 22 Dec 2008 21:36:24 +0000 http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-2509 Hi, I think rather than adding htaccess its better to add the codes in httpd.conf as Options -Indexes Options -ExecCGI AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi bcoz .htaccess has some performance issues. thanks Carol Hi,

I think rather than adding htaccess its better to add the codes in httpd.conf as

Options -Indexes
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi

bcoz .htaccess has some performance issues.

thanks
Carol

]]> By: pbu http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-2137 pbu Thu, 13 Nov 2008 21:40:39 +0000 http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-2137 In that case the only option you have is to make folder writable 777. however you can also hide the contents of folder and disable exec permissions with htaccess file In that case the only option you have is to make folder writable 777. however you can also hide the contents of folder and disable exec permissions with htaccess file

]]> By: stephen chan http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-2135 stephen chan Thu, 13 Nov 2008 13:27:31 +0000 http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-2135 Hi! If a website is shared-hosted and have no control over Apache setting, and there are no specific file type that is allowed or not allowed, what can I do? By the way, is there anyway where I can build in a virus checking (triggering some anti-virus software to check the file to be uploaded) mechanism. Thanks, Stephen Hi!
If a website is shared-hosted and have no control over Apache setting, and there are no specific file type that is allowed or not allowed, what can I do?

By the way, is there anyway where I can build in a virus checking (triggering some anti-virus software to check the file to be uploaded) mechanism.

Thanks,
Stephen

]]> By: DrTebi http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-795 DrTebi Sun, 24 Aug 2008 11:25:12 +0000 http://corpocrat.com/2007/11/28/implementing-secure-file-upload-in-php/#comment-795 Yes, disallowing directory browsing should be enforced as well. I actually have it disabled system-wide, and enable it if I see a need for it. I have found an interesting and quite comprehensive document that explains all the problems with image uploads, if you're interested, you can find it here: http://www.scanit.be/uploads/php-file-upload.pdf Still... my suggestion works very well. But after reading this document, I figured that image uploads can still cause problems, if they have some hidden PHP code in it. But there is yet another simple solution: just turn off the PHP engine for the image directory. This can be done within a directory container block in httpd.conf: php_admin_value engine Off or in an .htaccess file within the image directory: php_value engine Off Have a nice day :) DrTebi Yes, disallowing directory browsing should be enforced as well. I actually have it disabled system-wide, and enable it if I see a need for it.

I have found an interesting and quite comprehensive document that explains all the problems with image uploads, if you’re interested, you can find it here:
http://www.scanit.be/uploads/php-file-upload.pdf

Still… my suggestion works very well. But after reading this document, I figured that image uploads can still cause problems, if they have some hidden PHP code in it. But there is yet another simple solution: just turn off the PHP engine for the image directory. This can be done within a directory container block in httpd.conf:

php_admin_value engine Off

or in an .htaccess file within the image directory:

php_value engine Off

Have a nice day :) DrTebi

]]>