secured file uploading

Posted on 2007-07-24
Last Modified: 2010-04-11
I have just made a scripts which allows my website members to upload thier images, avatars ...etc. This script isn't secure since anyone can upload anything via it. This script doesn't check wither the file upload is an image or not. Simply anyone can upload a SHELL file to hack my website.

Is there anyway to secure this script? Is it a good idea to keep files being upload on the same server of my website?

Best Regards,
Question by:Shopies
    LVL 14

    Expert Comment

    What language are you using for your server side scripting? Every mainstreem language should have the capability or retricting which files can be uploaded based on the files MIME type. tell me what language you are using and I can give you an example.

    Author Comment

    I'm using PHP
    Thanks for posting
    LVL 14

    Accepted Solution

    Here is a link with an example of how to filter by mime type:

    if you look at the example on this page you will see that it is checking the mime type of the file like this:
     $file_array['type'] == "image/gif"

    here is a list of file extentions and their mime types you can use to filter out the types of files you want to allow:

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    Read about why website design really matters in today's demanding market.
    Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
    This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
    The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now