I’m developing a very simple PHP upload feature in my site to permit users to upload JUST images. Apart from checking the mime-type through php I wanted a .htaccess file to rule what can be uploaded and what can’t.
I want to insert the .htaccess in my root folder and from there writing the rules for all the folders I need to be ruled.
It’s the first time I work with .htaccess and from the internet I was able to find this:
http://pastebin.com/0KNHEbw0
But it doesn’t work. I’m testing it locally with my xampp on win7 and I see that I can upload any type of files in the “oggetti” folder.
What’s that is wrong?
And then, to rule other folders should I write something like this?
http://pastebin.com/dFMUu1g0
Thank you in advance!
You can’t control what files are uploaded through a
.htaccessfile: Apache, the web server parsing those commands, deals with serving the files only.You will need to do these checks in the PHP script that handles the upload process. Note that checking the MIME type sent with the file is not a reliable method to determine a file’s type! The value sent can be manipulated by an attacker. To ensure a file is an image file, you could e.g. use
getimagesize().