You can also keep information about the file uploaded in your mysql such as IP address.
I cann't really see any security problems here.
From: John Nichel <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: [PHP] Re: PHP Security
Date: Thu, 09 Dec 2004 15:53:50 -0500
MIME-Version: 1.0
Received: from pb1.pair.com ([216.92.131.4]) by mc5-f30.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Thu, 9 Dec 2004 13:36:24 -0800
Received: (qmail 37281 invoked by uid 1010); 9 Dec 2004 20:53:56 -0000
Received: (qmail 36970 invoked by uid 1010); 9 Dec 2004 20:53:55 -0000
X-Message-Info: JGTYoYF78jEvCuJhLNo8y5HpJ5uTOZsH
Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
Precedence: bulk
list-help: <mailto:[EMAIL PROTECTED]>
list-unsubscribe: <mailto:[EMAIL PROTECTED]>
list-post: <mailto:[EMAIL PROTECTED]>
Delivered-To: mailing list [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
User-Agent: Mozilla Thunderbird 0.9 (X11/20041103)
X-Accept-Language: en-us, en
References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 09 Dec 2004 21:36:24.0772 (UTC) FILETIME=[21F88840:01C4DE37]
Richard Lynch wrote:Chris Shiflett wrote:
--- Greg Donald <[EMAIL PROTECTED]> wrote:
http://seclists.org/lists/security-basics/2004/Dec/0080.html
Most of this is actually true.
The one statement that is unclear is the following:
"There are two kinds of flaws : - flaws inherent to the php langage itself, as seen before, in file uploads. - danger in uploading files at all on the server, not dependent on the langage used to handle the actual upload, but regarding the potential execution of uploaded files."
This may have meant meant hypothetically, meaning that there are two areas
where flaws could potentially exist - in the language or in the code. If
this was meant to suggest that there are existing flaws in the language,
then this is never justified.
I didn't find the statemtn to be unclear: that kind of flaw can exist, and it has been seen.
There was, unless I've been severely misinformed, a file upload security bug in a PHP 4 Beta (possibly even Release Candidate). Did it make it to release? I'm sure anybody on this list can dig out that answer as fast as I, so I won't. You'll learn more finding out for yourself anyway.<snip>
I'm pretty sure Chris is one who doesn't have to dig to find out about an old security flaw.
-- John C. Nichel ÜberGeek KegWorks.com 716.856.9675 [EMAIL PROTECTED]
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
