Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How do I secure uploaded files?

Posted on 2009-04-12
9
262 Views
Last Modified: 2012-05-06
I'm trying to build a document management system whereby persons can upload documents and have them stored on the server.
I'm using a simpy upload html form called test.html to upload the document and php in a file called uploader.php to store the upload file on the server.
I intend to save the path and filename of the document in a field of a documents table in a mySql database. I would use that information to later retrieve the file. However, my professor says that's not very secure because anyone who has the path and name can access the document.

How do I make the uploaded documents secure? Is there another way I can use so that I don't store the file address but still be able to retrieve documents?
<<<<<<<<< TEST.HTML >>>>>>>>>>>>>
<form enctype="multipart/form-data" action="uploader.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="100000" />
Choose a file to upload: <input name="uploadedfile" type="file" /><br />
<input type="submit" value="Upload File" />
</form>
 
<<<<<<<<< UPLOADER.PHP >>>>>>>>>>>>>
<?php 
 
$target_path = "uploads/";
 
$target_path = $target_path . basename( $_FILES['uploadedfile']['name']); 
 
if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
    echo "The file ".  basename( $_FILES['uploadedfile']['name']). 
    " has been uploaded";
} else{
    echo "There was an error uploading the file, please try again!";
}
?>

Open in new window

0
Comment
Question by:kgpretty
  • 4
  • 3
  • 2
9 Comments
 
LVL 4

Expert Comment

by:Tagor
ID: 24125859
You can chmod the folder to prevent users from accessing the files. Or you could use an htaccess file to secure it with a password.
0
 

Author Comment

by:kgpretty
ID: 24125871
How exactly can I "chmod the folder"??
0
 
LVL 4

Expert Comment

by:Tagor
ID: 24125916
You can chmod the folder using FTP. Please see below for more information. Or search on 'chmod explained' or 'chmod tutorial'
Basically chmod (aka "permissions") is short for "change mode". On a linux server such as ours it basically is how you change permissions for files and directories that can be used by a script. And also what can be done with those files and directories. There are three parts to a chmod number. The first number is for "owner", the second number is for "group", and "others" is the third. Most scripts will give you the chmod settings that will be needed in either the "readme" for the script or in the script code itself. To give you an example of the meaning of owner, groups, and others, lets use the ZboX web forum script as an example. The definition of the three in the forum are: 
Owner: Me. I have access to everything in the script including admin 
areas. 
Group: Everyone who has registered for the forum. You can read and 
execute certain aspects of the script like posting. 
Others: This would be the unregistered "Guests" All they can do is read 
the forum. They can't post or interact in any way. 
Below are examples of the chmod numbers and their useage. 
777: all can read/write/exec
755: owner can do all, group/others can read/exec
644: owner can read/write, group/others can read only 
 
For Directories: 
777: all can read, write, search
755: owner can do all, others and group can only search 
Typical settings: 
cgi scripts: 755 
Data files: 666 
Configuration files: 644 (files not updated by scripts) 
Directories: 777 (with proper permissions on files in directory) 
Here's a security tip: chmod a script to 400 if you want to disable it. You can always chmod it to 755 when you want to run it again. 
Here's a handy little script that allows you to figure what chmod number you need: 
 
Source: http://zboxhosting.com/board/index.php/topic,79.0.html

Open in new window

0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 109

Expert Comment

by:Ray Paseur
ID: 24126198
For a document management system you might want to use Google Docs.  If you are trying to write one yourself, consider using the data base to store the documents.  HTH, ~Ray
0
 

Author Comment

by:kgpretty
ID: 24127502
Ray_Paseur, I am trying to implement a database to store the documents, didn't you read my question?
0
 

Author Comment

by:kgpretty
ID: 24130428
I have phpMyAdmin set up on my computer and mySql. How do I implement chmod on my computer?
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 24132757
I read your question, including this, "persons can upload documents and have them stored on the server" and between that and your professor's comment about security I concluded that you might be planning to place the documents in the server file system - ie, in a directory.  Of course you can do that, but if you want to secure the docs against prying eyes, you need a little more security.  A data base will provide that for you since it will not be directly accessible from outside the scripts running on your server.  If nobody but you can upload scripts to the server, you can control what the scripts will server up.

If you use a data base to store the docs, you do not need to worry about file and directory permissions because your scripts will provide the logic that implements the equivalent protections -- in other words, chmod is moot.  But if you want to learn about chmod, you can find it in the PHP man pages online here:
http://us2.php.net/manual/en/function.chmod.php -- be sure to read the notes as well as the description.

Best regards, ~Ray
0
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 50 total points
ID: 24132769
One other note, you mentioned your "professor" so I need to ask if this is a schoolwork assignment.  By EE policy, we are not allowed to do those, so the only help we would be permitted to offer would be guidance.
0
 

Author Closing Comment

by:kgpretty
ID: 31569327
Thanx
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Moving your enterprise fax infrastructure from in-house fax machines and servers to the cloud makes sense — from both an efficiency and productivity standpoint. But does migrating to a cloud fax solution mean you will no longer be able to send or re…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question