[eluser]boltsabre[/eluser]
Hi guys and girls,
I'm going to be delving into the the file upload class next week, and was hoping we could get together a list of best practices when it comes to the beast that is file upload security VS usability for the users VS processing/server times to process it all.
What do you do to ensure the file upload process is not a hackers paradise? Let's start with images (jpg|jpeg|gif|png).
File Upload Class:
- Do you rename the image and store that in a DB using "encrypt_name", or some other random string generator?
- Do you set a max width, height, size? If so, what do you find is best in today's world of smart phones/cameras with massive mega pixel capabilities(thus massive image sizes?).
- Obviously for an image upload you want to set "allowed_types" to "jpg|jpeg|gif|png" (or is the 'jpeg' redundant?).
Image Manipulation Class:
- Does using this class mitigate the dreaded "double extension" hack? (ie, uploading a file called "myfile.php.jpg" will execute as php when called).
- As above, but for the "embedded code in image meta data" hack? (ie, where you embed php code in the image meta data, when you call that image it will process that php script).
General:
- Where do you put your uploads folder (hopefully not in the root folder!)
- Do you have a .htaccess file in there? If so, what's in it and what does it do?
- What permissions do you give this folder? 775 or 777?
And finally: I'm sure there is much more to consider when securing file uploads, what else do you do?
And finally number 2: What if you wanted a "resume" uploader (for example), what else, or different, do you do? Lets say, what do you do to secure a word/pdf upload (word not to be confused with MS_Word, I meant a general word document upload, many mac users don't use MS_Word...)
Thanks in advance, hopefully we can get a good outline on best practices in CI for securing (image and word/pdf) uploads!!!