Practices to follow when allowing for file uploads in PHP?
12 replies, posted
So, basically a site I'm creating requires the ability for users to upload files. The way I'm doing it now is user uploads allowed file, it's moved to a folder, and an entry is inserted into the database with all the information.
Is there a better, or more recommended way of doing this? If this is the best way, what's a good way to prevent people from simply using the direct link and downloading files.
Anyone have a good answer...?
HTML is a programming language, and not a markup langauge, lol
Why don't you want people to use the direct link?
Also, I'd say either a) force people to download certain types of file e.g. php/html pages as opposed to viewing them (like [URL="http://filesmelt.com"]filesmelt[/URL]), so people can't upload php/html files to your server and then run scripts or b) don't allow people to upload certain filetypes - if they want to upload some php they can always just use pastebin or upload it as a text file
[QUOTE=aero1444;32409368]Why don't you want people to use the direct link?
Also, I'd say either a) force people to download certain types of file e.g. php/html pages as opposed to viewing them (like [URL="http://filesmelt.com"]filesmelt[/URL]), so people can't upload php/html files to your server and then run scripts or b) don't allow people to upload certain filetypes - if they want to upload some php they can always just use pastebin or upload it as a text file[/QUOTE]
Well, suppose a direct link wouldn't be a problem, but how would I block access to the folder where all files are being stored? So they can't just browse around...
snip damnit
[QUOTE=dmillerw;32415669]Well, suppose a direct link wouldn't be a problem, but how would I block access to the folder where all files are being stored? So they can't just browse around...[/QUOTE]
Simples is done by placing an index.html (or .php, ...) file in the same folder.
If your server supports .htaccess files (or you are able to edit the apache config) then you can just set permissions.
[QUOTE=dmillerw;32415669]Well, suppose a direct link wouldn't be a problem, but how would I block access to the folder where all files are being stored? So they can't just browse around...[/QUOTE]
Like the above said, you can add in a htaccess file also blocking the execution of scripts in the upload directory and just add the index file straight in there so it would be pretty hard to find the files.
I'd always have PHP serve the files and force the content-type desired (always check content-type upon upload, if faked this forces the right type and it'll simply download a faulty file).
The biggest fail is allowing php execution, so if you're uploading php files make sure they're served as txt or simply downloaded.
Store the files outside the public directory;
Save file information in a database (mime-type, filename, size, date?);
Use a gateway script paired with sendfile (mod_xsendfile on Apache, for example.) to serve files.
[QUOTE=StinkyJoe;32429657]Store the files outside the public directory;
Save file information in a database (mime-type, filename, size, date?);
Use a gateway script paired with sendfile (mod_xsendfile on Apache, for example.) to serve files.[/QUOTE]
Understand the first two things. Explain the third one?
[QUOTE=dmillerw;32449128]Understand the first two things. Explain the third one?[/QUOTE]
Basically, you don't want to have your files available in the public directory, and you'll want (and need) to serve them through a (PHP) script. This script will, for example, look at the database to see if the file is available, maybe increment a "downloaded x times" counter, whatever, and then output the file.
Most commonly the "output the file" part is done with the php function [url=http://php.net/manual/en/function.readfile.php]readfile[/url], paired with the correct content-type header. The problem with this approach is that PHP has to read the whole file into memory, and then write it back to the output buffer. With, for example, mod_xsendfile (which is an Apache extension), you simply set a response header ( X-Sendfile ) with a path to the file you want to send (X-Sendfile:path/to/file.tar), the server sees that (before it reaches the client, of course - the client never sees that header), and it takes care of serving the file in a much more efficient manner.
That's my 2am explanation of the whole thing, let me know if you need any more help.
[QUOTE=StinkyJoe;32449382]Basically, you don't want to have your files available in the public directory, and you'll want (and need) to serve them through a (PHP) script. This script will, for example, look at the database to see if the file is available, maybe increment a "downloaded x times" counter, whatever, and then output the file.
Most commonly the "output the file" part is done with the php function [url=http://php.net/manual/en/function.readfile.php]readfile[/url], paired with the correct content-type header. The problem with this approach is that PHP has to read the whole file into memory, and then write it back to the output buffer. With, for example, mod_xsendfile (which is an Apache extension), you simply set a response header ( X-Sendfile ) with a path to the file you want to send (X-Sendfile:path/to/file.tar), the server sees that (before it reaches the client, of course - the client never sees that header), and it takes care of serving the file in a much more efficient manner.
That's my 2am explanation of the whole thing, let me know if you need any more help.[/QUOTE]
Well, that was a lot easier then I thought it'd be. Appreciate the help.
Sorry, you need to Log In to post a reply to this thread.
