...

View Full Version : any ideas on how to make this more secure?



Do'h!
06-11-2007, 11:24 PM
hey guys, I am not so good in php, so can you tell me of more ways I can make this uploading script I wrote more secure?

uploading script: http://share.codelove.org/G-man-8vqX3ug0.html
html form: http://share.codelove.org/G-man-3R0m7Pt6.html

thanks in return.

_Aerospace_Eng_
06-11-2007, 11:35 PM
From looking at the code I'm guessing all it does is allow users to create files by uploading them. How will these files be displayed? I think you should use htmlentities. I don't know if I would use an upload form like this one if I were you. What is to stop someone from creating a php file and then navigating to it. This php file could compromise your server. I think if anything you would set the type to .txt so it couldn't be excecuted as .php.

Do'h!
06-13-2007, 05:19 AM
From looking at the code I'm guessing all it does is allow users to create files by uploading them. How will these files be displayed? I think you should use htmlentities. I don't know if I would use an upload form like this one if I were you. What is to stop someone from creating a php file and then navigating to it. This php file could compromise your server. I think if anything you would set the type to .txt so it couldn't be excecuted as .php.

Good Idea, and then I will include() the txt.

any ideas on how to allow users to make their own usernames\passes without the aid of mysql?

_Aerospace_Eng_
06-13-2007, 05:26 AM
Just do some searching for a "Flat File Membership System". I don't really recommend this as flat files can get very large in file size if you have a lot of users. Why don't you want to use a database for this? It would be much more efficient.

aedrin
06-13-2007, 03:39 PM
Good Idea, and then I will include() the txt.

It would be even safer to use file_get_contents(), as the contents wouldn't be parsed for PHP then.

bubbles19518
06-13-2007, 03:55 PM
To validate that images they upload are actually images I recommend checking using something similar to this:



<?php

list($width, $height, $type, $attr) = getimagesize("image_name.jpg");

echo "Image width " .$width;
echo "<BR>";
echo "Image height " .$height;
echo "<BR>";
echo "Image type " .$type;
echo "<BR>";
echo "Attribute " .$attr;

?>

If the file isnt a valid image it shouldnt have a width or a height.

Do'h!
06-13-2007, 10:22 PM
thanks alot guys.

I preffer not to use mysql because I know nothing about it, I have it installed and all, I just don't know how to use it (yet)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum