Results 1 to 9 of 9

Thread: PHP Upload Security

  1. #1
    Join Date
    Jan 2005

    PHP Upload Security

    One of my PHP books recommends that any files uploaded via PHP should be stored outside the Web directory on the server to keep them inaccessible to users on the website and therefore more secure. Three questions:

    1) Is this really the case, or in other words, is it insecure to store them within the directory?

    2) How do I step out of the web directory with FTP to see the files that have been uploaded and saved there?

    3) Is there an alternative to this that is equally or more secure and that allows me easier access from the back end?

  2. #2
    Join Date
    Jun 2003
    The security problem you encounter is that I could upload a PHP script(even inside images etc), and I might be able to get it to execute if it's uploaded to the web directory, this can be avoided in a few ways, most intrestingly would be to use apache's settings to serve the contents without any PHP parsing, but that is not a fool proof solution.

    You can only access the directories via FTP that the FTP server allows you access to.
    If you are using PHP please use the [PHP] and [/PHP] forum tags for highlighting...
    The same applies to HTML and the forums [HTML][/HTML] tags.

  3. #3
    Join Date
    Jan 2005
    So there is no threat if only trusted employees or colleagues will be uploading files?

  4. #4
    Join Date
    Jun 2003
    I would still put security in place, it only takes one nasty file for a whole host of problems, and people can easily be convinced to damage their own computers, let alone upload untrusted files to a server.
    If you are using PHP please use the [PHP] and [/PHP] forum tags for highlighting...
    The same applies to HTML and the forums [HTML][/HTML] tags.

  5. #5
    Join Date
    Jan 2005
    How does someone actually go about creating a folder outside the web directory. For a long time now I haven't even known that I had a web directory.... how do I get above that?

  6. #6
    Join Date
    Jun 2003
    If your host doesn't let you then you probably can't.
    If you are using PHP please use the [PHP] and [/PHP] forum tags for highlighting...
    The same applies to HTML and the forums [HTML][/HTML] tags.

  7. #7
    Join Date
    Aug 2004
    A large majority of the time web hosts are configured such that there is a "web document root" directory under which all HTTP-accessible files must go. This is typically given a name such as "httpdocs", "public_html", or "www" (but it could in theory be given any name). So if you are on a shared host, you might have your web pages in a directory called something like "/users/your_name/public_html/". If your control panel, FTP, or other login method has access to the "/users/your_name/" drectory in this example, then you could create a directory there for your uploaded files, such as "/users/your_name/uploads/". This directory (and the files in it) would not be accessible via HTTP requests (I.e. via the web). However, you could have PHP or other script files under the "public_html" directory which could access that uploads directory via file-system functions, such as readfile(), allowing you to create a "file server" PHP script that would serve up any of those files to valid requests via that PHP script.
    "Well done....Consciousness to sarcasm in five seconds!" ~ Terry Pratchett, Night Watch

    How to Ask Questions the Smart Way (not affiliated with this site, but well worth reading)

    My Blog
    cwrBlog: simple, no-database PHP blogging framework

  8. #8
    Join Date
    Jan 2005
    My host seems to give me access to the root directory (simply "/" in FTP). If I make two folders in that directory, one titled "Web" and the other "Uploads", could I just point my domain at that "Web" folder and still have access to the Uploads folder outside it?

    / (a.k.a. "root")
    /Web (Point my domain here)
    (Upload things here for security?)

    I hope this makes sense.

  9. #9
    Join Date
    Apr 2007
    Connect with FTP and put a file like test.html with 'hello' in it in the highest directory you can access, you've said it's / . Open a browser and go to yourdomain.com/test.html If you can see 'hello' your document root is web accessible. This would mean your document rot is your web root and your host need to give higher level access to you. As nogdog says there is usually a www or public_html folder. That is the web root normally. If you create folder next to the web root, they are not in the web root so are not web browseable. If you don't have a document root above you web root contact your host because you should have. If they wont give you that change hosts. It could be an indication of their lack of ability or they simple don't care. It's a pretty big red flag.

    There is a program called cURL that is part of PHP that allows anyone to POST to anywhere. It's incredibly handy but allows anyone to post files to anywhere too. You might think you've only given access to trusted people but you can't be sure someone isn't attacking your server and posting executable file to the upload forms action address. If an attacker uploads an executable file to a non web root folder they cant access it to execute it.

    To be somewhat secure you need to upload to a non web browseable folder, as your book suggests, and only restrict the files that are uploaded based on their extension, not their mime type.
    Last edited by SyCo; 01-02-2009 at 02:26 PM.
    Anti Linux rants are usually the result of a lack of Linux experience, while anti Windows rants are usually a result of a lot of Windows experience.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
HTML5 Development Center



X vBulletin 4.2.2 Debug Information

  • Page Generation 0.13130 seconds
  • Memory Usage 2,925KB
  • Queries Executed 13 (?)
More Information
Template Usage (32):
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_global_above_footer
  • (1)ad_global_below_navbar
  • (1)ad_global_header1
  • (1)ad_global_header2
  • (1)ad_navbar_below
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)ad_thread_first_post_content
  • (1)ad_thread_last_post_content
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)headinclude_bottom
  • (9)memberaction_dropdown
  • (1)navbar
  • (4)navbar_link
  • (1)navbar_moderation
  • (1)navbar_noticebit
  • (1)navbar_tabs
  • (2)option
  • (9)postbit
  • (9)postbit_onlinestatus
  • (9)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available (6):
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files (26):
  • ./showthread.php
  • ./global.php
  • ./includes/class_bootstrap.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/functions_navigation.php
  • ./includes/class_friendly_url.php
  • ./includes/class_hook.php
  • ./includes/class_bootstrap_framework.php
  • ./vb/vb.php
  • ./vb/phrase.php
  • ./includes/functions_facebook.php
  • ./includes/functions_calendar.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_notice.php
  • ./packages/vbattach/attach.php
  • ./vb/types.php
  • ./vb/cache.php
  • ./vb/cache/db.php
  • ./vb/cache/observer/db.php
  • ./vb/cache/observer.php 

Hooks Called (70):
  • init_startup
  • friendlyurl_resolve_class
  • init_startup_session_setup_start
  • database_pre_fetch_array
  • database_post_fetch_array
  • init_startup_session_setup_complete
  • global_bootstrap_init_start
  • global_bootstrap_init_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • load_show_variables
  • load_forum_show_variables
  • global_state_check
  • global_bootstrap_complete
  • global_start
  • style_fetch
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • strip_bbcode
  • friendlyurl_clean_fragment
  • friendlyurl_geturl
  • forumjump
  • cache_templates
  • cache_templates_process
  • template_register_var
  • template_render_output
  • fetch_template_start
  • fetch_template_complete
  • parse_templates
  • fetch_musername
  • notices_check_start
  • notices_noticebit
  • process_templates_complete
  • friendlyurl_redirect_canonical
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • bbcode_parse_start
  • postbit_imicons
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • memberaction_dropdown
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • build_navigation_data
  • build_navigation_array
  • check_navigation_permission
  • process_navigation_links_start
  • process_navigation_links_complete
  • set_navigation_menu_element
  • build_navigation_menudata
  • build_navigation_listdata
  • build_navigation_list
  • set_navigation_tab_main
  • set_navigation_tab_fallback
  • navigation_tab_complete
  • fb_like_button
  • showthread_complete
  • page_templates