PHP Upload Security
One of my PHP books recommends that any files uploaded via PHP should be stored outside the Web directory on the server to keep them inaccessible to users on the website and therefore more secure. Three questions:
1) Is this really the case, or in other words, is it insecure to store them within the directory?
2) How do I step out of the web directory with FTP to see the files that have been uploaded and saved there?
3) Is there an alternative to this that is equally or more secure and that allows me easier access from the back end?
The security problem you encounter is that I could upload a PHP script(even inside images etc), and I might be able to get it to execute if it's uploaded to the web directory, this can be avoided in a few ways, most intrestingly would be to use apache's settings to serve the contents without any PHP parsing, but that is not a fool proof solution.
You can only access the directories via FTP that the FTP server allows you access to.
So there is no threat if only trusted employees or colleagues will be uploading files?
I would still put security in place, it only takes one nasty file for a whole host of problems, and people can easily be convinced to damage their own computers, let alone upload untrusted files to a server.
How does someone actually go about creating a folder outside the web directory. For a long time now I haven't even known that I had a web directory.... how do I get above that?
If your host doesn't let you then you probably can't.
A large majority of the time web hosts are configured such that there is a "web document root" directory under which all HTTP-accessible files must go. This is typically given a name such as "httpdocs", "public_html", or "www" (but it could in theory be given any name). So if you are on a shared host, you might have your web pages in a directory called something like "/users/your_name/public_html/". If your control panel, FTP, or other login method has access to the "/users/your_name/" drectory in this example, then you could create a directory there for your uploaded files, such as "/users/your_name/uploads/". This directory (and the files in it) would not be accessible via HTTP requests (I.e. via the web). However, you could have PHP or other script files under the "public_html" directory which could access that uploads directory via file-system functions, such as readfile(), allowing you to create a "file server" PHP script that would serve up any of those files to valid requests via that PHP script.
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
My host seems to give me access to the root directory (simply "/" in FTP). If I make two folders in that directory, one titled "Web" and the other "Uploads", could I just point my domain at that "Web" folder and still have access to the Uploads folder outside it?
/ (a.k.a. "root")
/Web (Point my domain here)
/Uploads(Upload things here for security?)
I hope this makes sense.
Connect with FTP and put a file like test.html with 'hello' in it in the highest directory you can access, you've said it's / . Open a browser and go to yourdomain.com/test.html If you can see 'hello' your document root is web accessible. This would mean your document rot is your web root and your host need to give higher level access to you. As nogdog says there is usually a www or public_html folder. That is the web root normally. If you create folder next to the web root, they are not in the web root so are not web browseable. If you don't have a document root above you web root contact your host because you should have. If they wont give you that change hosts. It could be an indication of their lack of ability or they simple don't care. It's a pretty big red flag.
There is a program called cURL that is part of PHP that allows anyone to POST to anywhere. It's incredibly handy but allows anyone to post files to anywhere too. You might think you've only given access to trusted people but you can't be sure someone isn't attacking your server and posting executable file to the upload forms action address. If an attacker uploads an executable file to a non web root folder they cant access it to execute it.
To be somewhat secure you need to upload to a non web browseable folder, as your book suggests, and only restrict the files that are uploaded based on their extension, not their mime type.
Last edited by SyCo; 01-02-2009 at 02:26 PM.
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)