[FX.php List] [OFF] Potential gotchas with uploading files?

Gjermund Gusland Thorsen ggt667 at gmail.com
Fri Apr 3 10:17:16 MDT 2009


rename .php files to .phps

http://pastebin.com/f7e3e9f38

ggt667

2009/4/3 Bob Patin <bob at patin.com>:
> I definitely wouldn't embed the upload path anywhere but in PHP so that it's
> not visible to users.
>
> Also, I check for authorization at the top of my upload pages, so that only
> someone who logged-in properly can load the upload pages--that will keep
> anyone else from being able to upload anything.
> I put something like this:
> if ($_SESSION['convoluted_variable'] != "lethimin"){
> echo 'Access prohibited.';
> exit;
> }
>
> Bob Patin
>
>
> Longterm Solutions
> bob at longtermsolutions.com
> 615-333-6858
> http://www.longtermsolutions.com
> iChat: bobpatin
> AIM: longterm1954
> FileMaker 9 Certified Developer
> Member of FileMaker Business Alliance and FileMaker TechNet
> --------------------------
> FileMaker hosting and consulting for all versions of FileMaker
> PHP • Full email services • Free DNS hosting • Colocation • Consulting
> On Apr 2, 2009, at 10:49 PM, Anders Monsen wrote:
>
> Not sure if your users will be able to see the upload directory path, but if
> this is the case and the path can be accessed via web browser, then they may
> end up with access to the entire directory via a browser. One way around
> this is to include an index.html file in that directory with a gentle
> message to the user. This way, if they put the directory path and a trailing
> slash they will the contents of this file rather than the directory listing
> with options to download the files.
>
> --
> Anders Monsen
>
>
> -----Original Message-----
> From: fx.php_list-bounces at mail.iviking.org on behalf of Bob Patin
> Sent: Thu 4/2/2009 10:18 PM
> To: FX.php Discussion List
> Subject: Re: [FX.php List] [OFF] Potential gotchas with uploading files?
>
> Good point about the filesizes; there are a couple of filesize
> settings in PHP that you'l want to bump up--max file size is one, and
> there's a 2nd one, but I forget the name now. If you look for 'max'
> after pulling up phpinfo() on a page, you'll find it. If I remember
> correctly, they're set to 2MB by default.
>
>
>
> Bob Patin
>
>
>
> Longterm Solutions
> bob at longtermsolutions.com
> 615-333-6858
> http://www.longtermsolutions.com
> Twitter: bobpatin
> iChat: bobpatin
> AIM: longterm1954
> FileMaker 9 Certified Developer
> Member of FileMaker Business Alliance & FileMaker TechNet
> --------------------------
> FileMaker hosting and consulting for all versions of FileMaker
> Web hosting . PHP . Full email services . Free DNS hosting .
> Colocation . Consulting
>
> On Apr 2, 2009, at 9:57 PM, Dale Bengston wrote:
>
>> Hi Joel,
>>
>> The biggest headaches I've had with file upload have come from PHP
>> and Apache settings for file sizes and memory allocations. They're
>> set pretty low by default. Depending on what you're allowing for
>> uploads, this may not be an issue at all, but it got me. Also,
>> validate, validate, validate what's being uploaded.
>>
>> On Apr 2, 2009, at 9:15 PM, Joel Shapiro wrote:
>>
>>> Hi all
>>>
>>> I'm looking for thoughts on how complicated an upload-file site can
>>> be.
>>>
>>> I've got a potential new project that would involve people
>>> uploading files via the Web and then having those files accessible
>>> to FMP clients.  I haven't worked with uploading before, but I've
>>> successfully put together the basics of uploading files and moving
>>> them to a specified directory.  In my brief experimenting, though,
>>> I've already seen issues with access privileges of the uploaded
>>> files (on my development machine) and UPLOAD_ERR_NO_TMP_DIR errors
>>> on my regular web host.  I'm also aware that there are security
>>> concerns when uploading files to a server, and know that servers
>>> and php can be configured quite differently in different machines
>>> and environments (it's not yet determined if the site will be
>>> hosted internally or through an external FM host).  FWIW - I'd
>>> probably leave files in their directory(ies) on the web server and
>>> have the FMP clients get to them via their network paths, so I'm
>>> not very concerned about that part of it.
>>>
>>> For those that have worked with this, what kinds of problems can
>>> should I be ready for?  Could this be a big headache?
>>>
>>> TIA,
>>> -Joel
>>> _______________________________________________
>>> FX.php_List mailing list
>>> FX.php_List at mail.iviking.org
>>> http://www.iviking.org/mailman/listinfo/fx.php_list
>>
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list
>
>


More information about the FX.php_List mailing list