Organizational Research By

Surprising Reserch Topic

stop people uploading malicious php files via forms


stop people uploading malicious php files via forms  using -'php,security,upload,zip'

I have an upload form created in php on my website where people are able to upload a zip file. The zip file is then extracted and all file locations are added to a database. The upload form is for people to upload pictures only, obviously, with the files being inside the zip folder I cant check what files are being uploaded until the file has been extracted. I need a piece of code which will delete all the files which aren't image formats (.png, .jpeg, etc). I'm really worried about people being able to upload malicious php files, big security risk! I also need to be aware of people changing the extensions of php files trying to get around this security feature.

This is the original script I used http://net.tutsplus.com/videos/screencasts/how-to-open-zip-files-with-php/

This is the code which actually extracts the .zip file:

function openZip($file_to_open) {
    global $target;

    $zip = new ZipArchive();
    $x = $zip->open($file_to_open);
    if($x === true) {
        $zip->extractTo($target);
        $zip->close();

        unlink($file_to_open);
    } else {
        die("There was a problem. Please try again!");
    }
}


Thanks, Ben.
    

asked Sep 9, 2015 by rajesh
0 votes
17 views



Related Hot Questions

9 Answers

0 votes

Im really worried about people being able to upload malicious php files, big security risk!

Tip of the iceberg!

i also need to be aware of people changing the extensions of php files trying to get around this security feature.

Generally changing the extensions will stop PHP from interpreting those files as scripts. But that's not the only problem. There are more things than ‘...php’ that can damage the server-side; ‘.htaccess’ and files with the X bit set are the obvious ones, but by no means all you have to worry about. Even ignoring the server-side stuff, there's a huge client-side problem.

For example if someone can upload an ‘.html’ file, they can include a

...