Can users upload a virus on the site?

V

Vadim Stepanenko2019-08-07 16:46:01

PHP

Vadim Stepanenko, 2019-08-07 16:46:01

There is a constructor on the site. The user enters the required data in the required fields and a config file is generated on the server with what he specified. Can he write php code with some kind of threat, which can then be run?
And how do you protect yourself from such attacks? If, for example, the user can upload files to the server, how can they be checked?

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

D

dollar, 2019-08-07
@dollar

In general, no . After all, the config is not saved on the server. And if it is saved, then without the right to launch. Although, in theory, a virus can be loaded without a constructor, but that's another story.
Attack prevention is a broad topic. And the designer here is the most insignificant factor of all that will have to be taken into account. But in general, with regards to the constructor, if the input data has some kind of safe format, then you can check for compliance with this format.
For example, if a number is entered in a field, then this can be easily checked.
And you can exclude php in text fields by searching for a pair of characters "<?" - and if such a substring occurs, then this is bad text, and the constructor should forbid it.

N

Northern Lights, 2019-08-07
@php666

No, if the directory is not in public. If it's public, you can create htacess with
php_flag engine off

N

Ninazu, 2019-08-07
@Ninazu

Depends on how the config is generated according to the user's entered data. And how is it then used. In generators, data is usually escaped if the user can bypass the escape. If this config is then connected, then you have problems)