PHP File Upload Code Injection

Question

Possible Duplicate:
Stop people uploading malicious PHP files via forms

i found a way to clean the images from injected code by adding a very small transparent image to the uploaded image using PHP GD Library this will destroy the injected code (is there a better way ?).

but what about the other extensions if someone injected a code in a text file or whatever extension what can the attacker do in my server and how to prevent this type of code injection.

i'm writing a file upload script and i'm so confused in the security i searched a lot but nothing really helped me.

your help is highly appreciated.

Set the file permission only to read on all uploaded files, that should help — Alex Rashkov, Nov 15 '12 at 16:29
"How to prevent this type of code injection?" Don't allow files to be uploaded. — Alex Howansky, Nov 15 '12 at 16:31
Don't allow files to be uploaded !! it's a file upload center — , Nov 15 '12 at 16:33
I'm interested that your approach actually destroys the malicious code. Preventing execution as illustrated below is great but taking the extra step to take it out seems really cool. — Joshua Kaiser, Nov 15 '12 at 23:47

score 5 · Accepted Answer · answered Nov 15 '12 at 16:38

5

You can set the file permissions of all uploaded files to read using CHMOD like

<?php
  $filename = 'path/to/your/file.zip';
  chmod($filename, '744');
?>

answered Nov 15 '12 at 16:38

Alex Rashkov

9,833
3
32
58

1

thanks this really helped me you deserve a thousand vote simple and great – Hmmm Nov 15 '12 at 16:44

PHP File Upload Code Injection

1 Answers1