File Upload and Security

mpantoja

I have a site that will allow customers to upload files. Here is my concern:

If someone uploads "hackyoursys.php", the file is put into the webserver directory. If they manage to discover which directory their file went into, they could execute any number of nasty commands on my server.

So, I have looked into having the file uploaded:

1) to a file outside of the webserver directory - can't figure out how to reference this path

2) via FTP - still having trouble feeling secure about this

3) to a MySQL database as BLOB

Any suggestions? Thanks in advance.

sid

the simplest thing would be to perform a check on the file extension. any extensions that could be a possibly malicious script on your server you can simply ban from being uploaded in the form handler.