I've created a CMS system that grabs website source code from FTP addresses and uploads it to the current server. The issue with this is I don't want to be uploading dangerous code that can control my server.
Is there any tried and tested functions that already exist to filter PHP code for malicious code?
Thanks in advance.
The issue with this is I don't want to be uploading dangerous code that can control my server.
Then don't do this. There is no 100% reliable way to exclude the possibility that code is malicious in some way.
That said, there is a list of exploitable PHP functions here on SO. But in your case, I'd still say - if you can't trust the code you are uploading, don't upload it. Find another way to do what you need to do.
Related
I have a CakePHP application that allows users to upload images. I am currently using version 2.
My concerned that hackers could embed code in the images and that code then being executed on the server.
Does anybody know if using the image validation methods used on the CakePHP documentation includes security checks for this?
Here is a link that may exaplin better what I am asking.
PHP image upload security check list
Thanks in advance
You may want to first properly elaborate the situation you are concerned about, like, how would code embedded in an image be executed on the server? What kind of code would that be? What does the server / the application do with these images? Just moving them in the filesystem certainly won't do anything, no matter the files content.
CakePHP does not ship with any validation functionality that would check for the integrity/validity of binary image data. Possibly image related validation methods like Validation::mimeType() only do very basic file header checks via PHPs finfo_* or mime_content_type function.
Even if CakePHP would validate the image data structure, people could still embed all kinds of stuff via metadata for example, so if someone managed to include an image in the right context, possibly embedded code could be executed.
As mentioned initially, assess the threat first, then figure the proper defense mechanisms. If you need more security than CakePHPs built-in validation provides, then you'll probably have to process the image and ditch/filter metadata. However, even that may be exploited, properly crafted PNG IDAT chunks for example may even survive processes like resizing/resampling:
https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/
I am building a website where I am uploading images to my ftp folder through PHP script. Now I want to display those images on to my HTML pages. I was thinking about using PHP and getting array of all the images from my ftp folder and then display them using image view.
Please tell me if I am doing this the wrong way and if there is any other better alternatives to it. I was reading php manual for ftp_nlist and ftp_rawlist but did not understand.
Well it may depend on how many images you have in there. Probably the most "correct" way to do it would be to store the filenames in a DB. You could scan the entire folder, but for every single request that's potentially a lot of overhead rather than just grabbing them out of a DB.
Are you manually uploading the images? Give us more details on how that works and we can better serve you. If you're using a script to upload images (I've had lots of projects where that's the case), then you can just have the script insert those filepaths into the DB for you. If not, (you're manually uploading them), or if indeed there are not a large number of files, then scanning the folder wouldn't necessarily be a bad thing. I've used that method on smaller projects myself.
Read up on the php readdir function in the docs (which actually works a lot like mysql_fetch_assoc, ironically)- That will provide you with an excellent way to go without setting up a DB. For an approach where an upload script handles it, I recommend a DB. Without more info, it's hard to say.
Good luck!
I am (still) attempting to upload large files <200mb via a html form using php.
During my research into this I have come across the term "chunking", I understand that this process can break the file into handy sizes such as 5mb and reassemble them into the full file at the server side.
My problem seems to be where I can begin? I seem unable to find the correct resources by googling (Or perhaps I'm suffering from not knowing which terms to search for).
So what I'm hoping for today is a chance to educate myself with the basics, a direction in which to look would be very helpful. I don't really want to download a plug-in or anything like that, I would prefer to learn by experimentation.
EDIT to add: Although the two answers below would appear to be correct, this takes me into the realm of stuff that I can't do as a designer...If anyone reading this can suggest a different approach I would appreciate it.
Web browsers do not split uploads into chunks. For this you'll have to use your own "chunking" client: a Flash program or a Java applet.
You can take a look at JUpload. There are also examples in the wiki.
From SourceForge :
Multiple File Upload Applet (JUpload) takes care of the limitation posed by traditional HTML upload forms by allowing you to upload a whole directory and the files within it with a single click. Optionally, it allows simple picture management.
I need a php code and sql code that will let someone upload an image to a database. The only thing I can find is very glictchy and not accepted by some browsers. Any ideas?
NEVER store images in the database. NEVER EVER EVER EVER. There are tons of other questions posted here about it that you may want to ready up on.
Always store directly on filesystem, and store the image URL of the file in the database.
If I understood correctly, you want to upload image files (or any files) via browser to the server and save them in the database. If that is the case, read this:
http://www.php-mysql-tutorial.com/wikis/mysql-tutorials/uploading-files-to-mysql-database.aspx
There are likely lots of available tutorials online to show you how to do this (you might take a look at this one: http://www.codewalkers.com/c/a/Database-Articles/Storing-Images-in-Database/).
I think that this is not the most efficient way to handle images, however. You might consider writing them to a folder and simply keep the name of the file and its location in the database. This stackoverflow question might help: How to store file name in database, with other info while uploading image to server using PHP?
I want to browse all folders on my computer without using opendir(), in PHP.
I think I managed to extract the real question out of the comments: What you actually want is to provide an upload of multiple files.
Answer: No this is not possible with PHP, since it is executed by the server, not by the browser. PHP can give you folders on the server, not on the machine of the user. If you want to upload multiple files in a single step, you should use flash, javascript or something similar.
Why wouldn't you want to use the function that's actually provided to do what you want?
In one of the comments, seeming says:
i want the user to select couple of
files and upload rather than having
multiple upload boxes. why are people
downvoting this question?
Well, it is because your question is unclear and it is impossible to answer without the context of multiple file uploads.
The answer is: you can't do that with PHP.
PHP runs serverside, so it can only give you a list of all the folders on the server; not the folders on the client side.
So the solution you need will either be
a Java-Applet (Facebook uses this for multiple file uploads)
or Flash/Flex (Gmail multiple file upload)
The result will be a very ugly combination of glob() and stat(). Is there some reason you can't work with opendir() and friends?
Edit:
If PHP does not have suitable permissions to access everything you want to see, using another function is not going to help.
What (exactly) are you trying to do?
Why don't you use the following?
opendir(DIRECTORY_SEPARATOR);