Secure file upload storage

03-20-2016, 11:05 PM #1

Passion

League Champion

1,750

Posts

33,151

Reputation

881

Credits

Member

Apr 2015

NextGenUpdate

(adsbygoogle = window.adsbygoogle || []).push({}); So i made a file uploader, turns out i didn't block PHP Execution & other harmful execution. and got my site 'shelled'.
How is this harmful? Well people can view all your folders, and got access to your directory & a bunch of other stuff. They can basically 'deface' your site.
This little trick prevents PHP execution & other harmful execution on your site(uploads folder)
Create a new file called .htaccess
Place this code in the file

    

Order Allow,Deny

Deny from all

<FilesMatch "^[^.]+\.(?i:jpe?g|png|gif|pdf|li|rar|zip|txt|vcf|mp3|mp4)$">

Allow from all

</FilesMatch>

Tustin's alternative for nginx users

    

$file_type = strtolower( end ( explode( ".",  $_FILES["avatar"]["name"] ) ) );

if ($file_type === "edat")

{

  //do additional checking/move file to public directory

}

Last edited by Passion ; 03-25-2016 at 12:51 AM.

The following 2 users say thank you to Passion for this useful post:

Specter, THΞSPIKYBROHD

03-20-2016, 11:43 PM #2

Passion

League Champion

1,750

Posts

33,151

Reputation

881

Credits

Member

Apr 2015

NextGenUpdate

Also, don't mind the groan it's just some butthurt idiot that groans every thread i create.

03-21-2016, 12:10 AM #3

Tustin

Balls of Steel

5,462

Posts

310,706

Reputation

2,580

Credits

Former Staff

May 2008

NextGenUpdate

Alternatively, if you don't use Apache, you can set this up in your upload script before moving files around:

    

$file_type = strtolower( end ( explode( ".",  $_FILES["avatar"]["name"] ) ) );

if ($file_type === "edat")

{

  //do additional checking/move file to public directory

}

Just an alternative if you don't run Apache like I mentioned Smile

But imo why not have both just in case.

The following user thanked Tustin for this useful post:

Specter

03-21-2016, 01:15 AM #4

Specter

Pro Memer

921

Posts

44,457

Reputation

2,940

Credits

Former Staff

Aug 2012

NextGenUpdate

Originally posted by Tustin

Alternatively, if you don't use Apache, you can set this up in your upload script before moving files around:

    

$file_type = strtolower( end ( explode( ".",  $_FILES["avatar"]["name"] ) ) );

if ($file_type === "edat")

{

  //do additional checking/move file to public directory

}

Just an alternative if you don't run Apache like I mentioned Smile

But imo why not have both just in case.

Yeah I don't typically use apache as nginx is much more secure and stable, good post :p

03-25-2016, 12:50 AM #5

Passion

League Champion

1,750

Posts

33,151

Reputation

881

Credits

Member

Apr 2015

NextGenUpdate

Originally posted by Specter

Yeah I don't typically use apache as nginx is much more secure and stable, good post :p

You can still use the .htaccess in nginx and convert the rules to make it work in nginx, atleast that is what i've heard.

03-25-2016, 01:32 AM #6

Specter

Pro Memer

921

Posts

44,457

Reputation

2,940

Credits

Former Staff

Aug 2012

NextGenUpdate

Originally posted by Passion

You can still use the .htaccess in nginx and convert the rules to make it work in nginx, atleast that is what i've heard.

I've never heard of that to be honest I'll have to look into it, when I had to do something like a .htaccess in nginx you have to write the rules in the server blocks (I can't remember where the config file is). Most of the time you want to avoid the use of .htaccess files anyway, they load everytime rather than on restart and are inefficient, hence the saying "If you have to use .htaccess you're probably doing it wrong". Not saying what you did is bad or wrong, but if you can avoid it it's better :p

03-28-2016, 09:40 PM #7

Indie Developer

Reverse Engineer

444

Posts

6,905

Reputation

632

Credits

NextGenUpdate Elite

Dec 2015

NextGenUpdate

"secure" :p

But good things mate