On 03 Oct 2007, at 12:02, phpninja wrote:
Have a look at this security paper, it covers most everything you need
to do a secure file upload with php.
http://www.scanit.be/uploads/php-file-upload.pdf
-phpninja
On 10/2/07, Orson Jones <[EMAIL PROTECTED]> wrote:
I am building the ability for authenticated users to create php files
and upload graphics. These would then be served by the server.
More details. The php files are automagicly generated by form input
(that doesn't allow php code) This is heavily filtered/escaped. I am
fairly confident in this part (security of code generated.) The php
files will be served by include($file), then calling functions
defined
within the file. The php files are also designed so that if they
were to
be served directly, they would not output anything.
I haven't started on the graphics upload yet, but it would be
served the
same way. (through my php program, not directly by apache)
So, there is no reason apache needs to see the uploaded/created
files,
but php does need to see them. (ok, they are usually the same
user, but
it's the idea I'm going for.) This is on a standard cheap linux
hosting
server for the time being.
I am wondering what setup you recommend for doing this type of thing.
Where do you save the files? How do you configure permissions? Can/
How
do you validate images? Etc.
Thanks, that was a good article.
_______________________________________________
UPHPU mailing list
[email protected]
http://uphpu.org/mailman/listinfo/uphpu
IRC: #uphpu on irc.freenode.net
