I’m making a site in which people will be able to upload files to a specific subdirectory. Just in case someone were able to bypass the filters for uploading potentially malicious (presumably php) files, I wondering if it is possible to make the malicious code inaccessible. I am looking at 2 different methods.
The first is to see if there was a way with to make it so you cannot access any files in the subdirectory by typing the files url into the browser (www.example.com/images/blahblah.jpg), but have the files still appear properly when linked to by <img src=images/blahblah.jpg />
The second way to accomplish this could be to disable php in the subdirectory with the .htaccess file. I’ve tried php_admin_flag engine off,
php_flag engine off,
RemoveHandler .php
RemoveType .php
php_flag engine off
Options -ExecCGI
but each try either does nothing, or disables everything in the directory. Is there a reason these are not working? What is the best way to disable php or secure a directory with .htaccess?
You can keep the metadata about the uploaded files in a Db and store the content rather in a custom extension text file. For example everything uploaded could be stored as 1.ext or file.my or no extension at all. And when the file is requested you will just read and dump its content. Adding to this will be to rename all files uploaded.
You can also keep the original files out of the document root( and its subdirectory ) and with the help of .htaccess have all request forwarded to a single file lets call entrance.php Then that php file will simply read the file and dump its content or issue a 404 if not found or not the type allowed.
Hope it helps.