Today I came across an awesome article/tip on how to improve security for uploads using PHP and a Apache/Linux server. The site is called Uno-Code.com which is a great server administration blog. It's discusses Linux related items pretty heavily, specfically Gentoo Linux, so it might not be for everyone.
The article touches on some great security points. Mostly the idea of having multiple security layers to protect your application and/or server. I'll be writing a article in the near future about comment SPAM and techniques to help stop that. But, I believe in the multi-layer approach, since each layer is not full proof against attacks.
The article discusses mod_security and the new hardened PHP module/project called Suhosin to help verify files before moving further with the code. Also, it talked about the 'type' value in the $_FILES array. I've had this discussion countless of times with other programmers. This should NEVER be trusted since it's actually set from the browser to the server. Anything from the client should NEVER be trusted, since they can change that value.
Everyone should take a look at these points, you might have an idea to improve your security strategy in relation to file uploads. File uploads can be dangerous, so any thing to help lock that down is a good thing!
Go Back