S
S
SKEPTIC2020-08-28 01:24:47
PHP
SKEPTIC, 2020-08-28 01:24:47

Protection in php from downloading malicious scripts to a server when uploading a file?

Actually the question is in the header. I found a couple of articles on the Internet, but they date back to the beginning of the last decade.

So how can you protect the site from downloading and executing malicious scripts as much as possible if the site has a page where the user can upload files?

Checking the file extension comes to mind. For example, skip only png, jpg and other pictures. Split the string by point and take the last value.

Are only files with a .php extension dangerous?

Answer the question

In order to leave comments, you need to log in

4 answer(s)
D
DevMan, 2020-08-28
@pro100chel

elementary: it is enough to make sure that the downloaded files are not executed as code.

Are only files with a .php extension dangerous?
danger is provided by any files, regardless of the extension. especially on nix, where the extension does not play royally.

M
maxbrown, 2020-08-28
@maxbrown

The number of ways to execute a specially prepared file is not just large, but increasing. Some holes are patched, others appear in return.
For example, I remember the times when it was enough to set the attribute rw------- to a file, and then suddenly, after the next update of the host software, these files became both visible and executable.
We cannot know in advance how the server software will change.
But we can more or less confidently assume that the archives will remain archives, without extracting from which it will remain impossible to execute the file.
Therefore, if the site is not too heavily loaded, archive the downloaded file, and give its contents only through the unzip script. And may you not be poor.

F
FanatPHP, 2020-08-28
@FanatPHP

This is because you don’t know how to google
. Firstly, you can set a site where to look for
site: qna.habr.com secure file upload - and hob, it turns out that you are not the only such prodigy who came up with a unique question, and here herds run around with one and the same question.
secondly, you can set the date of the article. do you like the last decade? Set current
5f48a675ce4e2692771010.png

X
xmoonlight, 2020-08-28
@xmoonlight

Prohibition of direct access to downloaded files (with the folder specified) when accessing them through the browser.
If it is necessary to directly request downloaded files from the browser, an intermediate "sump" folder is created: validation of the "body" of the file by the script for compliance with the expected format and moving to the direct access folder if the file has passed the test.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question