Hello everyone.
Can someone provide a safe php upload script and a safe .htaccess file to go with it?
Can someone provide a safe php upload script and a safe .htaccess file to go with it?
-
-
save the file without extension also use some hash as the file name for disk storage and add only read rights to it, also do not store the file in a public directory, store the real file name in the database. -
Thanks!
The hashed name is very good to prevent unwanted files being executed and making them read only will make sure the file can not be changed.
so:
[Pre file checks here would also be handy to know the best ones to use.]
move_uploaded_file($temp, 'nonPublicDirectory/HashedFileName');
chmod("nonPublicDirectory/HashedFileName", 0644); // should this be 0400 ? (owner only read)
mysqli_query($connection, " INSERT INTO database hashed='HashedFileName', real='file.png.php'"); //(file name sanitized)
Then how would you pass the file to the browser without executing it?
Comment
-
For file download, see below:
you can replace application/octet-stream with a proper mime typePHP Code:header("Content-Type: application/octet-stream");
header("Content-Transfer-Encoding: Binary");
header('Content-disposition: attachment; filename="'.$filename.'"');
echo readfile($path_to_file_on_disk);
Comment
-
Thank you GumSlone.
How would you do the same for images in html
If you had a lot of images in 1 page it would cause high cpu?
Comment
-
you could add some caching header, to the output file, this will prevent the image from being reloaded.Comment
Comment