0

I've built a bulk user import engine for my web application and it's working perfectly. I'm now sitting here asking myself, is it secure? After all, the content of this file is being pumped into my database!

Not being the wisest security nerd around I need a little advice here.

  • Users are not able to rename the file after it's uploaded.
  • When the file is uploaded, its name is instantly changed.
  • Files must be .csv and have a csv relative mimetype for the upload to work.
  • The uploaded file is stored in a directory not accessible via the WWW and is deleted as soon as the import has completed, usually a few hundred milliseconds.
  • I'm opening the file and removing blank lines during the import

What about the actual content of the file? How can I sanitize the file to ensure it doesn't contain any executable code? I looked at the PHP manual and saw that as of PHP 4.3.5 getcsv() is binary safe, but being totally honest, I'm not 100% sure as to what that means.

I'm currently thinking about converting the CSV content into an array and creating a function that escapes the array content. Any other suggestions or is the above completely safe?

Arbiter
  • 486
  • 1
  • 8
  • 21
  • fgetcsv should already be putting the content in an array... – Zarathuztra Mar 25 '14 at 01:11
  • It does, it returns an indexed array, but this doesn't escape or sanitise anything does it? I suppose the question is, do I simply escape each value in the array one by one? – Arbiter Mar 25 '14 at 01:12
  • its user input and cant be trusted, it should be treated the same as form data –  Mar 25 '14 at 01:17
  • So just escape the entire array? – Arbiter Mar 25 '14 at 01:18
  • thats one option, you may want to validate each field separately, not enough information for definitive answer –  Mar 25 '14 at 01:21

1 Answers1

1

You can try using array_walk() to run mysql_escape_string() or your database's equivalent to be doubly sure everything is kosher.

function escape_sql(&$item, $key)
{
  $item = mysql_escape_string($item);

}

array_walk($input_array, 'escape_sql');

If your array is multi-dimensional you can use array_walk_recursive(), which operates similarly.

Lee Salminen
  • 900
  • 8
  • 18
  • This is what I was looking for, I've never used array_walk before and this is going to make the process so much simpler. Thank you! – Arbiter Mar 25 '14 at 01:32