Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trial
Greg Kaleka
39,021 PointsFile Upload Security - Have I Done Enough?
I'm building a site that will require paying customers to upload an excel file. I recognize that allowing users to upload files opens a security hole; a user could upload a php script that allowed them access to the server. I've taken these precautions against this:
- I am saving the file in a directory outside the document root.
- I am generating a random name for the file server-side, which should prevent a malicious uploader from accessing the file post-upload with a perl script, etc.
- After emailing the file to myself (along with information the user has entered into a form) I am deleting the file from the server using
unlink().
So, am I doing enough? Have I left any possibility for exploitation?
Note, I still need to do some form validation. I just want to know if this approach is appropriate.
Thanks!
<?php
// 1. saving outside the root
$uploaddir = ROOT_PATH . 'other/extra-layer/uploads/';
// 2. generating a random name
$uploadfile = tempnam($uploaddir, $_POST['project-name'] . ' ');
if (!move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
$error_message = "File uploading failed.";
echo $error_message;
die;
}
$name = trim($_POST['name']);
$trimmed_email = trim($_POST['email']);
$email_address = filter_var($trimmed_email, FILTER_SANITIZE_EMAIL);
$description = trim($_POST['description']);
$project_files = $uploadfile;
//to do: error checking / validation
if (!isset($error_message)) {
$to = "my@address.com";
$from = $email_address;
$sendgrid = new SendGrid(SENDGRID_USERNAME, SENDGRID_PASSWORD);
$email = new SendGrid\Email();
$email->addTo($to)->
setFrom($from)->
setSubject("Project info from " . $name)->
setText($description)->
setAttachment($project_files)->
addHeader('X-Sent-Using', 'SendGrid-API')->
addHeader('X-Transport', 'web');
$response = $sendgrid->send($email);
if (isset($response->message) && $response->message === 'success') {
$email_sent = true;
}
}
// 3. deleting after emailing
unlink($uploadfile);
?>
Greg Kaleka
39,021 PointsHey Konrad,
I learned PHP on Treehouse. I've continued to build my skills after completing the PHP track, working on some of my own projects. I haven't taken any other courses; rather, I've read blog posts, documentation, etc. Treehouse gives you an awesome foundation, but it's just the beginning!
A lot of these particular concepts/techniques came from this blog post. I couldn't use their technique exactly, since I'm not dealing with image files, I'm not displaying files to the users, and I'm not interested in storing the files in my database. Still it was a great read, and helped me understand the threats I needed to combat.
Best,
Greg
Konrad Pilch
2,435 PointsThats a cool thinkg, reading blogs, i should check them instead youtube videos . I did the basics , some of them at treehouse then i did the simple application and gaved me a good foundation and now im moving in log ing log out and looking tutorials on that and what im doing is i watch the videos and then analize the code and if theres something there i know its on treehouse , or not even , i look in treehouse.
Im more likely going throw yt tutorial or any other and then re-searching stuff in google or treehouse. Like " -> " i know what it means now didnt know before . By research it .
I think i should force my self to go on PHP track, i see there are some console foundationm etc.. i should bare it in mind : p
Thank you.
I was thinking to buy a book or to get a book on PHP as it has everything needed and explains well. Books are powerful .
And i hope your project goes well . I would love to see it when you finish it .
Greg Kaleka
39,021 PointsThanks Konrad. Shoot me an email - greg@gregkaleka.com - and I'll let you know when it's up and running!
The PHP track is well put-together. You'll learn the -> operator in Object Oriented PHP :)
1 Answer
Shawn Flanigan
Courses Plus Student 15,815 PointsIf you're only wanting Excel files to be uploaded and you're worried about people sending you other types of malicious files, you could also put a MIME type check in place.
I'm sure there are other things to consider, but I'm still figuring out the security end of things myself.
Good luck!
Greg Kaleka
39,021 PointsThanks! I'm planning to add a MIME type check (there are lots of different possible excel formats, so I'll need to test a bunch to make sure I'm not excluding any accidentally), but that does more for convenience (not getting the wrong file and having to follow up) than it does for security. Someone malicious won't use the form itself, but rather a script of some kind, in which they'd initiate an HTTP request that looks like a form submission. In that case, the MIME type can be set to whatever the malicious uploader wants it to be.
This blog post has a lot of good info to consider, if you're working on anything similar. It's unfortunately, pretty specific to image uploads, at least in its addressing of security holes, but the threats it outlines are great to know about, and I think the end solution is pretty widely applicable.
Konrad Pilch
2,435 PointsKonrad Pilch
2,435 PointsHi, i know its off the question but just one little question, have you learned all this here in treehouse?