0

I'm interested making certain my file uploaded via php into a db is locked down. Currently the key functions I'm using are fopen and fgetcsv. Unfortunately this subject seems quite nebulous in the webs.

The file isn't "executed" but is opened and walked with fgetcsv. What steps do I need to do in order make certain that no foul play occurs on my server through this module?

Currently I limit the file size and check the extension.

  1. Do I need to verify the file uploaded is actually a csv and not just some file with a csv extension? I assume this would be through a file type recognizer?
  2. What do I need to do to avoid multibyte/encoding exploits?

***Edit I found this link to be helpful and may be to others; http://php.net/manual/en/features.file-upload.post-method.php

Thanks

vdidxho
  • 165
  • 1
  • 14
  • 1
    Just escape/sanitize everything correctly and you should be fine. – Jaime Nov 01 '16 at 23:28
  • What @Jaime said; additionally, verify that the new records do not interfere with the old, or if they do, they do in the way you devised (e.g. if a record is replaced, it must be because you *approve* such replacements). Check duplicates etc. . Build the SQL query properly. Bad CSV files will be "intercepted" by `fgetcsv`. Apart from that, you might have minor charset issues. Check out http://stackoverflow.com/questions/1472886/some-characters-in-csv-file-are-not-read-during-php-fgetcsv . – LSerni Nov 02 '16 at 07:23

1 Answers1

-1

If you are relying on a library to parse user input, you should have confidence in the quality of the library.

If you don't then picking a separate library is advisable.

If no sufficiently stable library can be found for the task, the only viable option in a security-critical application is to implement the functionality yourself.

0x90
  • 6,079
  • 2
  • 36
  • 55
  • This answer doesn't say anything about the security risks and/or recommend any type of improvements about preventing issues. – Nick May 03 '21 at 20:42