Re: File Upload security

by Tamara <tamara(at)>

 Date:  Thu, 26 Apr 2001 09:00:03 -0500
 To:  "Lauri Vain" <optima(at)>,
"html list" <hwg-basics(at)>
 References:  sportsstuff
  todo: View Thread, Original
At 08:27 PM 4/16/2001 +0300, Lauri Vain wrote:
>Technically one *could* upload a virus but it doesn't really matter because
>nothing (and I mean *nothing*) will happen to the server as the virus (should
>somebody choose to upload one) won't be executed by the server. According to
>some reports viruses don't spread on *nix systems (Linux, Unix -- your server is
>likely to run a brand of one of them) anyhow -- can't confirm that because I
>haven't tested running viruses on *nix systems myself. Somebody else on this
>list will probably know access issues better.


According to what I've learned so far from studying php/MySQL -- to upload anything you have to give *nobody* directory permissions. I have been advised to put the directory in my root directory to avoid security problems. This is according to my php pal, *nix doesn't care what kind of file is uploaded -- you /must/ give nobody permission and then everybody can upload and access /everything/ whether it be jpg, txt or exe.

>Back to the point -- as I understand, you want visitors to be able to upload
>images. There is one thing I would recommend you to protect against. People
>could try to upload files other than images or just too many images to waste
>your bandwidth and use up your server space. I, personally, would implement a
>verification (in case the upload form is open for public) to check whether the
>uploaded file really is an image (checking the extension and file type). If the
>file isn't an image then delete it from the server and don't insert it to a

Again, speaking from my /very, very/ limited experience, it's not that hard to rename an exe as a jpg and then get into the file and change it back if someone were truly dedicated.

Now, off to practice the lessons I've learned since I currently have a *nobody* directory in my public_html and I have been attempting to change it.


HTML: hwg-basics mailing list archives, maintained by Webmasters @ IWA