[FX.php List] [OFF] Potential gotchas with uploading files?

Fri Apr 3 08:30:52 MDT 2009

I definitely wouldn't embed the upload path anywhere but in PHP so  
that it's not visible to users.

Also, I check for authorization at the top of my upload pages, so that  
only someone who logged-in properly can load the upload pages--that  
will keep anyone else from being able to upload anything.

I put something like this:

if ($_SESSION['convoluted_variable'] != "lethimin"){
	echo 'Access prohibited.';
	exit;
}

Bob Patin

Longterm Solutions
bob at longtermsolutions.com
615-333-6858
http://www.longtermsolutions.com
iChat: bobpatin
AIM: longterm1954
FileMaker 9 Certified Developer
Member of FileMaker Business Alliance and FileMaker TechNet
--------------------------
FileMaker hosting and consulting for all versions of FileMaker
PHP • Full email services • Free DNS hosting • Colocation • Consulting

On Apr 2, 2009, at 10:49 PM, Anders Monsen wrote:

> Not sure if your users will be able to see the upload directory  
> path, but if this is the case and the path can be accessed via web  
> browser, then they may end up with access to the entire directory  
> via a browser. One way around this is to include an index.html file  
> in that directory with a gentle message to the user. This way, if  
> they put the directory path and a trailing slash they will the  
> contents of this file rather than the directory listing with options  
> to download the files.
>
> --
> Anders Monsen
>
>
> -----Original Message-----
> From: fx.php_list-bounces at mail.iviking.org on behalf of Bob Patin
> Sent: Thu 4/2/2009 10:18 PM
> To: FX.php Discussion List
> Subject: Re: [FX.php List] [OFF] Potential gotchas with uploading  
> files?
>
> Good point about the filesizes; there are a couple of filesize
> settings in PHP that you'l want to bump up--max file size is one, and
> there's a 2nd one, but I forget the name now. If you look for 'max'
> after pulling up phpinfo() on a page, you'll find it. If I remember
> correctly, they're set to 2MB by default.
>
>
>
> Bob Patin
>
>
>
> Longterm Solutions
> bob at longtermsolutions.com
> 615-333-6858
> http://www.longtermsolutions.com
> Twitter: bobpatin
> iChat: bobpatin
> AIM: longterm1954
> FileMaker 9 Certified Developer
> Member of FileMaker Business Alliance & FileMaker TechNet
> --------------------------
> FileMaker hosting and consulting for all versions of FileMaker
> Web hosting . PHP . Full email services . Free DNS hosting .
> Colocation . Consulting
>
> On Apr 2, 2009, at 9:57 PM, Dale Bengston wrote:
>
> > Hi Joel,
> >
> > The biggest headaches I've had with file upload have come from PHP
> > and Apache settings for file sizes and memory allocations. They're
> > set pretty low by default. Depending on what you're allowing for
> > uploads, this may not be an issue at all, but it got me. Also,
> > validate, validate, validate what's being uploaded.
> >
> > On Apr 2, 2009, at 9:15 PM, Joel Shapiro wrote:
> >
> >> Hi all
> >>
> >> I'm looking for thoughts on how complicated an upload-file site can
> >> be.
> >>
> >> I've got a potential new project that would involve people
> >> uploading files via the Web and then having those files accessible
> >> to FMP clients.  I haven't worked with uploading before, but I've
> >> successfully put together the basics of uploading files and moving
> >> them to a specified directory.  In my brief experimenting, though,
> >> I've already seen issues with access privileges of the uploaded
> >> files (on my development machine) and UPLOAD_ERR_NO_TMP_DIR errors
> >> on my regular web host.  I'm also aware that there are security
> >> concerns when uploading files to a server, and know that servers
> >> and php can be configured quite differently in different machines
> >> and environments (it's not yet determined if the site will be
> >> hosted internally or through an external FM host).  FWIW - I'd
> >> probably leave files in their directory(ies) on the web server and
> >> have the FMP clients get to them via their network paths, so I'm
> >> not very concerned about that part of it.
> >>
> >> For those that have worked with this, what kinds of problems can
> >> should I be ready for?  Could this be a big headache?
> >>
> >> TIA,
> >> -Joel
> >> _______________________________________________
> >> FX.php_List mailing list
> >> FX.php_List at mail.iviking.org
> >> http://www.iviking.org/mailman/listinfo/fx.php_list
> >
> > _______________________________________________
> > FX.php_List mailing list
> > FX.php_List at mail.iviking.org
> > http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

-------------- next part --------------
Skipped content of type multipart/related