Link to home
Start Free TrialLog in
Avatar of nandananushil1
nandananushil1Flag for India

asked on

Secure File Upload

i am making a form where people(clients) will be able to upload files. these files can have any extension, even ".php".

how can i prevent the codes in uploaded file to be executed, considering i cannot change file name.
Avatar of mydropz
mydropz

if the file is uploaded on a linux/unix server you could change the owner of the file to a user who has no execution rights the unix command that can do that for you is chown
Avatar of nandananushil1

ASKER

hi mydropz
thanks for the quick reply...yes it will be hosted on linux server, but how can i change the owner of file through php?
Filter Input, Escape Output.  Usually you will want to accept only known good values in a form field.  It sounds like you have decided not to adhere to that advice, so here is what I would do:

Never, never never echo any client input back to the browser without doing it this way:

echo htmlentities($thing);

The output will look fine because the entities will be rendered by the browser, but the output will not be executable.
hi ray
thanks for the reply. no, i know how to restrict file extensions etc but what i am trying 2 implement is something like expert exchange's file upload. here also we can upload files of any extension. and when u click on that file link it is forced for download, i want something like that. so that file is downloaded instead of file being executed.
blah.php
ASKER CERTIFIED SOLUTION
Avatar of Ray Paseur
Ray Paseur
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
thanks
Thanks for the points.  Best regards, ~Ray