0

I am designing internal mail delivery application for the users of my site using PHP and MySQL. In which users can attach attachments like images and others.

but problem occurs when user attach a PHP script or html page as an attachment. Giving direct url to the recipient cause the script/page attached to run on server.

Which in turn dangerous if it has some vulnerable code for the website.

So What I want is :

  • Denying all PHP scripts , .html and .exe files within attachment folder to run on server
  • But all files must be still downloadable and viewable inside website as text file(for .php, .html, .css, .js files) by checking authorization of user by another PHP script located in another folder
  • All in all Denying access to scripts but not the folder

    • Can any one help me in this ? I've seen questions similar to this like: Disable PHP in directory (including all sub-directories) with .htaccess

    but this is different from that as it specifically asks for iis environment and web.config solution(if possible). But others uses .htaccess or httpd.conf which both doesnt work on iis on windows

    Thanks in advance.

    Community
    • 1
    • 1
    Vedant Terkar
    • 4,553
    • 8
    • 36
    • 62
    • 1
      Have a look at this http://stackoverflow.com/questions/1271899/disable-php-in-directory-including-all-sub-directories-with-htaccess – WayneC Jul 02 '13 at 12:24

    1 Answers1

    0

    I think the quickest and easiest way would be to simply zip all uploaded files, and then serve them all as zips, regardless of content.

    You could also get some stuff done with .htaccess files, but in case the server software changes you may need to mess with it again in order to make everything safe again, and while you don't, you're exposed.

    LordFokas
    • 68
    • 5