Solved

Upload Security : How to upload , store and download user's uploaded mp3 files securely

Posted on 2013-05-12
4
722 Views
Last Modified: 2013-05-18
We are running a mp3 site in which user can upload mp3 files and play those mp3 files and other user can download those files.

The problem is we are trying to store those mp3 files securely and to prevent from hacking and we are facing lot of ideas to implement security .We are having following queries and please tell us in which will be good to proceed to have security

  1) Storing the uploaded mp3 files outside of document root directory and giving 644 permission for those files and calling those files by using php script for read and download.

    Problem for above method : we heard that even we store the uploaded file outside of root directory, some malicious code will run and damage our server and take control of it.
If we provide 644 permission, we can't delete unwanted mp3 files.

  2) Storing the uploaded files in another server and mounting it to our server.We are not sure how much security will it provide?

Please guide us to choose proper and good security method to implement mp3 file uploading,storing and download.
0
Comment
Question by:bootf
  • 2
4 Comments
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 300 total points
ID: 39159413
If you store the uploaded files outside of the WWW directory tree you've probably done enough to secure the files.  But security is always a continuum and never an absolute.  If you're storing bowling scores or medical records or nuclear launch codes you would choose different security processes.

What is the value of the files you're trying to secure?  Who originates the data and what is the risk if it is exposed or hacked?
0
 

Author Comment

by:bootf
ID: 39159419
Hai Ray, we are allowing user to upload mp3 files and image files in our website.We are  concerning about everything such as php script and database and uploaded mp3 files . We don't want to allow hackers to upload malicious code into our site and get our script or database or mp3 files.We want to prevent hackers to upload malicious code.
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 300 total points
ID: 39159437
If you expect image files, try converting the files to image resources.  There are various conversion functions for different types of files.  If they fail the conversion, discard them.

I would expect (but I do not know for sure) that you could use FFMPEG or similar to detect MP3 files.  

You could rely on the file name suffix, but that seems a bit risky to me and I would prefer to test the files programmatically.

You could also rely on a "trusted community" by using client authentication and associating each file with the client who uploaded it.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
0
 
LVL 33

Accepted Solution

by:
Slick812 earned 200 total points
ID: 39162123
greetings  bootf, ,  For most 'security' measures you take, there is some sort of extra, hassle, time or additional methods needed to have for each.
If you do ANY user file uploads, never give the uploaded files Browser access, as in a web accessible directory. Your first option -
  1) Storing the uploaded mp3 files outside of document root directory and giving 644 permission for those files and calling those files by using php script for read and download.

Is a good one, except you do Not need the 644 permission, use 664 or 764 instead.

You say - "some malicious code will run and damage our server and take control of it."
Many, many Years ago, there was much written about "hiding" code (as PHP script) inside of "Images" and "PDF documents" etc. and the security for that,  However, the development for Apache, and PHP over the years, have eliminated most risk to have script embedded into file, and then used (executed in the shell or PHP engine). But it is still possible to Upload a php text script, with an incorrect extension like .jpg, , , , , , and for the most part, even then if the incorrect files are in a directory that is NOT browser accessible, it is not that much of a risk, ,  unless you in your PHP call that file like
include '/home/domain/uploaded/evil.jpg';
which is really not likely.

But if you can, you really should verify the upload file's "file header" info to verify that at least is has a minimum amount of file info, to be that type of file. This is important for you, because your users will Upload anything as a file that's an images or mp3 "type", and is Not even close to being that file type, I can not tell you how many users have uploaded a MS Word document as an Image file, just because it has an image in it.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
These days socially coordinated efforts have turned into a critical requirement for enterprises.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now