Security in uploading any file types to server in php

Asked Jul 14 '13 at 11:08

Active Jul 14 '13 at 11:08

Viewed 56 times

I have created a webpage where users can upload files to the server and I did not restrict the file types. What is the best solution to make that folder not executable and allow all the files only to be downloaded when accessed.

So far I have the following .htaccess file on that folder:

<Files *.*>
   ForceType applicaton/octet-stream
</Files>

asked Jul 14 '13 at 11:08

Jamol

3,768
8
45
68

you are at risk!, try to save them on folder out-of-webroot, and then you need to read them by PHP – Jul 14 '13 at 11:17
IE will still MIME-sniff `application/octet-stream`, leaving you open to XSS when HTML-like data is hidden in the file contents. `X-Content-Type-Options` somewhat addresses this attack but it doesn't cover all browsers and plugins. Ultimately if you are serving verbatim user-supplied files the only certain way to be safe from XSS attacks is to serve the files from a completely different domain, away from your main site, which you can allow to be XSSed without consequence. – bobince Jul 14 '13 at 17:52

Security in uploading any file types to server in php

0 Answers0