NYCPHP Meetup

NYPHP.org

[nycphp-talk] PHP MySQL File Upload Help

Brian O'Connor gatzby3jr at gmail.com
Thu Apr 27 12:26:25 EDT 2006 

This is the way I currently upload some images to my website now.  I really
have no idea how safe this is, so if its unsafe, please let me know.

// FTP configuration
    $ftp_server = 'myftpaddr';
    $ftp_user_name = 'myuser';
    $ftp_user_pass = 'mypass';

    // Connect
    $conn_id = ftp_connect($ftp_server);

    // Get filename / extension
    $filename = explode('.', $_FILES['ap_filename']['name']);

    $ext = $filename[count($filename) - 1];

    // Make sure extension is jpg
    if(strtolower($ext) != 'jpg') {
        $failure = true;
        $message .= 'The file type must be jpeg.<br>';
    }

    // login with username and password
    $login_result = ftp_login($conn_id, $ftp_user_name, $ftp_user_pass);

    // check connection
    if ((!$conn_id) || (!$login_result)) {
        $failure = true;
        $message .= 'Connection was not established.<br>';
    }

    // Change directory
    $directory = ftp_chdir($conn_id, 'path/to/dir');
    if(!$directory) {
        $failure = true;
        $message .= 'Could not change directories.<br>';
    }

    // Temporary name
    $source_file = $_FILES['ap_filename']['tmp_name'];

    // Real name
    $destination_file = $_FILES['ap_filename']['name'];

// some error handling

// upload the file
        $upload = ftp_put($conn_id, $destination_file, $source_file,
FTP_BINARY);

ftp_close($conn_id);

On 4/27/06, csnyder <chsnyder at gmail.com> wrote:
>
> On 4/26/06, Brian O'Connor <gatzby3jr at gmail.com> wrote:
> > While we're on this topic, I was wondering if some people could
> enlighten me
> > on some good practices (if any at all really) for allowing users to
> upload
> > files via a php page.
> >
> > Currently, I am using the ftp approach to upload certain files to my
> site,
> > but I'm not really sure if that's the safest / most effective way.  I
> had
> > been using move_uploaded_file() before, but that didn't seem to work for
> me
> > on some hosts (I'm on a shared host, and I probably will be for quite
> some
> > time).
> >
> > Thanks.
>
>
> Which ftp approach do you mean?
>
> Some things you can do to safely handle uploaded files are:
>
> 1) use is_uploaded_file() to make sure you can trust the data in the
> temporary file
>
> 2) make sure uploaded files are *never* saved with .php extensions (or
> any other extension the webserver might execute as php). it's possible
> to embed php code in files of any mimetype.
>
> 3) store uploads outside of the web root, so that an attacker can't
> request an uploaded file directly. this helps mitigate the risk in #2.
>
>
> --
> Chris Snyder
> http://chxo.com/
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> New York PHP Conference and Expo 2006
> http://www.nyphpcon.com
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>



--
Brian O'Connor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20060427/a85f87a8/attachment.html>

More information about the talk mailing list