protecting file upload

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I've read a few bits on the web about vulnerabilities in providing
file uploads where the upload could contain ../../ and so allow 'back
browsing' to other files on the server and copying them to a public
directory. If I was to check for this scenerio, would I have to do
something like (in simple terms):

if $_FILES['userfile']['tmp_name'] or $_FILES['userfile']['name'] =
echo u are norty
continue with code

Also, is it possible to verfiy that the referring html form to my
upload script originates from my server only? I could stop anyone from
creating their own forms then.

Many thanks

Re: protecting file upload (ahevans) wrote in news:d589c3f.0502120410.15a672d7

Quoted text here. Click to load it



(URL should all be on one line. Hey Google, new blows.)

Quoted text here. Click to load it

It's possible to detect the referring URL, but anyone can send whatever
Referer header they choose. There is no real security in checking the
Referer header.


Bulworth : PHP/MySQL/Unix | Email : str_rot13('f@fung.arg');
< | PHP scripts, webmaster resources

Site Timeline