i have one question
when we give option to web user to import data into mysql table, is this secure?
for example
<form method="post" action="import.php" enctype="multipart/form-data">
<input id="file1" name="file1" type="file">
<input type="submit" name="button" id="button" value="Submit" >
</form>
and in import.php we have following code
<?php
$theFile = $_FILES['file1'];
$tmp_name1 = $theFile['tmp_name'];
$row = 1;
if (($handle = fopen($tmp_name1, "r")) !== FALSE) {
while (($data = fgetcsv($handle, 1000, ",")) !== FALSE) {
$num = count($data);
// SQL insert statement
}
fclose($handle);
}
my question is, if some one upload any script or .exe or virus this will go to web server temp directory how we can secure it?
what will be safe way ?
Thanks
That is not secure. At the very least you need to verify that the file was indeed an uploaded file and not a file already on the server like /etc/passwd. To do that you need to use
is_uploaded_file().Example:
?>
You also should rename any file uploaded to your server as leaving the name of the file unchanged could lead to remote file attack where someone executes the file on your server.
Finally, if the file upload is only supposed to accept certain file type, like images, then you should definitely check to make sure the file is actually an image. At the very least check the file extension to make sure it is a .png, .gif, .jpg, etc. If it is a .exe then reject it immediately as it is obviously is not an image and thus of no use to you.