Jul 02, 2020

PHP Secure fie uploading

Hear I'm going to share a easy and secure way to upload your images and other files. You have to be extremely careful when you upload files in your web applications. Sometimes we make foolish assumptions like we don't want security checks for privileged users like administrators. But it's false. If an attacker exploit our web application and login as admin, next he will try to gain access of complete server. So it is important to secure file uploads in any place. So in a html form we can make a input for file with selecting the input type to 'file'.
<input type="file" name="my_image">
In php like GET, POST and COOKIE variables, there is a global variable as FILES too. We can extract files from this multi dimensional array. I hope you remember that we got a cookie named my_cookie with $_COOKIE['my_cookie']. So we can get our uploaded file with $_FILES['my_image']. We can access the name of the file with $_FILES['my_iamge']['name'].

1) Check file extension.

One of the most important validation is the file type. If you want to upload image limit file extension . Such as jpg, jpeg, gif etc. Why you need to limit file types. Think that you expect a user to upload a profile image . An attacker upload a php shell through your file upload form. Now he can execute shell from your uploads directory. So let's see how we can check file extension with php. In php there is a function as pathinfo() that is used to extract some data from a file name. It expect two main parameters. First one is file and second is which part you need to extract. So if we want the extension we can use pathinfo($file, PATHINFO_EXTENSION); . Now we can use an if statement to check the file type. For an example
$file = $_FILES['my_iamge']['name'];
$ext = pathinfo($file, PATHINFO_EXTENSION);

if($ext =='jpg' || $ext =='jpeg' || $ext =='gif'){
echo('image is valid');
echo('image is not valid');

2) Limit file size.

It is safe to apply a limit of file size to be uploaded. PHP has its own file uploading and memory limit. For an example about 5mb is enough for an average image. We can use our FILES variable with size parameter to extract the size of a file.
$file_size = $_FILES['my_iamge']['size'];

if($file_size <= 5000000){
  echo('image is valid');
  echo('image is not valid');
Hear file size is in bytes.

3) Clear file name or give a new name.

You know that in XSS there is a way to exploit a vulnerability with file name. It is a bad idea to save original file name. One option is generate a random name for each file when uploading a file. If not you can use a function to remove all unwanted things from the name. Now after all of above checks we can upload our file to a directory. We can use move_uploaded_file() function for this. We need to supply two arguments to this function. First one is temporary name of file and second is the target file path. Let's move our file to uploads directory.
$target_path = 'uploads/filename.jpg';
move_uploaded_file($_FILES['my_iamge']['temp_name'], $target_path);
We cant assume that this function always will success. Before doing further steps use an if statement to check whether moving file was success or not. So guys i think you learned something from the post. Thanks for reading.

Aug 18
Linux user management

Today I bought you another tutorial on Linux. Hear we are going to discus about basic user....

Aug 20
SQL injection example

Hello guys, In a previous tutorial I explained basic theories about SQL injection. In there we....

Oct 30
best way to learn programming in c

C is a classical programming language. Many of other programming languages are based on C. If you....

Replying to 's comment Cancel reply
Thilan Danushka Dissanayaka

Thilan Dissanayaka

Hi, I'm Thilan from Srilanka. An undergraduate Engineering student of University of Ruhuna. I love to explorer things about CS, Hacking, Reverse engineering etc.