Ad

Prevent Mime Faking On Php Uploads

- 1 answer

Is there a way to prevent someone from faking a mime type on a file upload and then running a php/exe/etc...

I have to make the file upload directory writeable and executable so that the files can be stored, but this allows anyone to run a script after. One thing I can do is add random data to the file name so they can't guess the file name after (since they still can't read from the directory to get a listing).

I'm using file upload with php for the first time and I'm trying to cover all of the security issues.

Ad

Answer

The file upload directory should not be accessible to the web browser. I.e. don't allow somebody to upload a file, say "remove_all_my_files.php", and then execute it on your system by giving the url to it, say "http://xample.com/uploads/remove_all_my_files.php".

Ad
source: stackoverflow.com
Ad