I am working on a website where I allow users to upload an image to a server. In order for file_put_contents() to get the correct permissions, I had to change the user on the server to www-data (the current user for the Apache server).
I am just wondering what possible security issues this may create, anyone with more experience able to give more in depth explanation or any alternatives that would be safer?
upload to a different directory above www. If the attacker would upload any executable than they can't execute it... if they execute they can do anything.
change the uploaded filename to some other name. Don't save the file in user supplied name.
change file permissions to read only.
check the file mime type not with $_FILES['DFJK']['type'] ... use this to check the mime type
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['soup']['tmp_name']);
because the
$_FILES['filename']['type']
can be changed by the user.
also check the file size because they will upload very big size. and then your server goto denial of service mode.
also you can use htaccess to stop executable permission to a directory.
RemoveHandler .php .phtml .php3
RemoveType .php .phtml .php3
also
php_flag engine off
