Oct 15, 2007
How to do secure file uploads with php? Or, more correctly, how to upload to a secured dir? Many apps and posts I have seen on the web advise that the target dir must be writable. Now, this is ok if I am the owner of the dir, but what about if I want my users to be able to e.g. upload an image? Unless I authenticate them as an ftp user on the system, with access to the folder, the folder must be chmod 777, which is highly insecure. If I am using a shared host, which many of us are, it is not feasible for me to create an ftp login for all my users. I use session based security, and require sessions for all uploads, but if the folder is 777, anyone can just come along and browse it, and more importantly, bypass the session and write to it.
View 4 Replies
htaccess is not really suitable in my situation either, as it will use the browser popup for auth, rather than my login system and this is not consistent with the rest of the site. Once someone has logged into my site (i.e. authenticated against my db, and got a session/cookie), they should be logged in to all the areas they require access too. And how to maintain password resets etc between the db AND the htpasswd file?
Is there a way for me to use something like ftp_connect, or cURL to open a connection, possibly as a ftp user who only has access to this folder, and do some stuff like fopen(); fwrite(): or imagejpeg(); whilst the connection is open, and then close that connection?