Welcome Guest, Not a member yet? Register   Sign In
File Uploads - Best Practices?

I'm curious as to what the best practices are regarding security for codeigniter's file upload library.

I typically use set my allowed types in the configuration and make sure the files are uploaded outside of the codeigniter application directory as can be seen in the sample config below.

$config = array(
'allowed_types' => 'jpg|jpeg|pdf',
'upload_path' => realpath(APPPATH . '../uploads/'),
'max_size' => 1500
$this->load->library('upload', $config);

Are the allowed types case sensitive? And do they take into account files with wrong file extensions? What other security measures can be taken. Also, Is it possible to make a file upload a required form field in codeigniter?

Sorry for all the questions I haven't had to really deal with file uploads in the past but any help is appreciated.


1. The allowed types are not case sensitive
2. Files with wrong extensions will not be uploaded
3. You could restrict file size, rename files on upload, change permissions on your uploaded folder so that files within it are not executable, restrict upload by login, you could restrict file type on the folder using .htaccess, disable script execution an Hide indexes with .htaccess
4. Check out codeigniter validation here to achieve required form field or use JavaScript

Check out a detailed security guide here

Hope that helps

[eluser]Oscar Dias[/eluser]
Regarding the last question "Is it possible to make a file upload a required form field in codeigniter?". Correct me if I'm wrong, but the form_validation doesn't work with file uploads because the form_validation works only with $_POST, while file uploads use $_FILE.
I use callback functions to validate file uploads as required, as follows:
$this->form_validation->set_rules('picture', 'Picture', 'callback_required_file[picture]');

And the callback function:
public function required_file($str, $field)
    if (!isset($_FILES[$field]))
        $this->form_validation->set_message('required_file', 'The %s field is required.');
        return FALSE;
        return TRUE;

Thank you both for your help. That security guide is extremely useful and Oscar Dias I never even thought about using a callback function to make it a required field. I'll definitely be trying out some of these methods.

Theme © iAndrew 2016 - Forum software by © MyBB