Solved

Upload Security : How to upload , store and download user's uploaded mp3 files securely

Posted on 2013-05-12
4
724 Views
Last Modified: 2013-05-18
We are running a mp3 site in which user can upload mp3 files and play those mp3 files and other user can download those files.

The problem is we are trying to store those mp3 files securely and to prevent from hacking and we are facing lot of ideas to implement security .We are having following queries and please tell us in which will be good to proceed to have security

  1) Storing the uploaded mp3 files outside of document root directory and giving 644 permission for those files and calling those files by using php script for read and download.

    Problem for above method : we heard that even we store the uploaded file outside of root directory, some malicious code will run and damage our server and take control of it.
If we provide 644 permission, we can't delete unwanted mp3 files.

  2) Storing the uploaded files in another server and mounting it to our server.We are not sure how much security will it provide?

Please guide us to choose proper and good security method to implement mp3 file uploading,storing and download.
0
Comment
Question by:bootf
  • 2
4 Comments
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 300 total points
ID: 39159413
If you store the uploaded files outside of the WWW directory tree you've probably done enough to secure the files.  But security is always a continuum and never an absolute.  If you're storing bowling scores or medical records or nuclear launch codes you would choose different security processes.

What is the value of the files you're trying to secure?  Who originates the data and what is the risk if it is exposed or hacked?
0
 

Author Comment

by:bootf
ID: 39159419
Hai Ray, we are allowing user to upload mp3 files and image files in our website.We are  concerning about everything such as php script and database and uploaded mp3 files . We don't want to allow hackers to upload malicious code into our site and get our script or database or mp3 files.We want to prevent hackers to upload malicious code.
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 300 total points
ID: 39159437
If you expect image files, try converting the files to image resources.  There are various conversion functions for different types of files.  If they fail the conversion, discard them.

I would expect (but I do not know for sure) that you could use FFMPEG or similar to detect MP3 files.  

You could rely on the file name suffix, but that seems a bit risky to me and I would prefer to test the files programmatically.

You could also rely on a "trusted community" by using client authentication and associating each file with the client who uploaded it.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
0
 
LVL 33

Accepted Solution

by:
Slick812 earned 200 total points
ID: 39162123
greetings  bootf, ,  For most 'security' measures you take, there is some sort of extra, hassle, time or additional methods needed to have for each.
If you do ANY user file uploads, never give the uploaded files Browser access, as in a web accessible directory. Your first option -
  1) Storing the uploaded mp3 files outside of document root directory and giving 644 permission for those files and calling those files by using php script for read and download.

Is a good one, except you do Not need the 644 permission, use 664 or 764 instead.

You say - "some malicious code will run and damage our server and take control of it."
Many, many Years ago, there was much written about "hiding" code (as PHP script) inside of "Images" and "PDF documents" etc. and the security for that,  However, the development for Apache, and PHP over the years, have eliminated most risk to have script embedded into file, and then used (executed in the shell or PHP engine). But it is still possible to Upload a php text script, with an incorrect extension like .jpg, , , , , , and for the most part, even then if the incorrect files are in a directory that is NOT browser accessible, it is not that much of a risk, ,  unless you in your PHP call that file like
include '/home/domain/uploaded/evil.jpg';
which is really not likely.

But if you can, you really should verify the upload file's "file header" info to verify that at least is has a minimum amount of file info, to be that type of file. This is important for you, because your users will Upload anything as a file that's an images or mp3 "type", and is Not even close to being that file type, I can not tell you how many users have uploaded a MS Word document as an Image file, just because it has an image in it.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
calculated column 12 74
PHP_POST() error message 9 41
mysql update statement effect only some rows 4 26
Checking if varaible is empty 6 29
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
These days socially coordinated efforts have turned into a critical requirement for enterprises.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now