Have a look at this security paper, it covers most everything you need to do a secure file upload with php.
http://www.scanit.be/uploads/php-file-upload.pdf -phpninja On 10/2/07, Orson Jones <[EMAIL PROTECTED]> wrote: > I am building the ability for authenticated users to create php files > and upload graphics. These would then be served by the server. > > More details. The php files are automagicly generated by form input > (that doesn't allow php code) This is heavily filtered/escaped. I am > fairly confident in this part (security of code generated.) The php > files will be served by include($file), then calling functions defined > within the file. The php files are also designed so that if they were to > be served directly, they would not output anything. > > I haven't started on the graphics upload yet, but it would be served the > same way. (through my php program, not directly by apache) > > So, there is no reason apache needs to see the uploaded/created files, > but php does need to see them. (ok, they are usually the same user, but > it's the idea I'm going for.) This is on a standard cheap linux hosting > server for the time being. > > I am wondering what setup you recommend for doing this type of thing. > Where do you save the files? How do you configure permissions? Can/How > do you validate images? Etc. > > Thanks, > Orson > > _______________________________________________ > > UPHPU mailing list > [email protected] > http://uphpu.org/mailman/listinfo/uphpu > IRC: #uphpu on irc.freenode.net > _______________________________________________ UPHPU mailing list [email protected] http://uphpu.org/mailman/listinfo/uphpu IRC: #uphpu on irc.freenode.net
