Dienstag, 23. Juni 2009

Filter filename on fileupload and prevent execution of uploaded files

Its a good way to allways rename uploaded files using something like a MD5-hash and store the original filename in a database.

If for some reason you dont want to rename it using a hash, you should filter the filename using some code like this one:

$filename = strip_tags($_FILES["upload"]["name"]);
$filename = str_replace(array('|','<','>','"','\'',':','\\','/','*','?'),'',$filename);

It's a good idea to deny the execution of all uploaded files: place a .htaccess file in your upload-directory:

RemoveHandler .cgi .shtm .shtml
RemoveType .php .php3 .php4 .php5

deny from all

order deny,allow
deny from all

Keine Kommentare:

Kommentar veröffentlichen