Uploading a file (such as an image, zip, or PDF) is quite common in website development, and PHP makes the process very simple with the move_uploaded_file method. But hackers are always on the lookout for easy prey, such as .exe, PHP, and scripting files.
Although this does not guarantee that after this your code and server will be fully protected from hackers. but something is better than nothing.
Below are some tricks that you can use while writing code for file uploading –
Before placing the file on the server, you may add non-executable permission to it. The server will be safe from executable and scripting files using this approach. You can use PHP’s chmod() function to change file permissions.
if(move_uploaded_file($_FILES[“uploadedfile”][“tmp_name”], $target_path)) {
chmod($target_path, 0755);
}else{
echo “There was an error uploading the file, please try again!”;
}
A very common trick used by hackers is changing the content type of a file to a valid one. To ensure that the uploaded file is a valid one or an image file, you can use the getimagesize() method.
$imageinfo = getimagesize($_FILES[“uploadfile”][“tmp_name”]);
if($imageinfo[“mime”] != “image/gif” && $imageinfo[“mime”] != “image/jpeg” && isset($imageinfo))
{
// invalid file
}
The best way to avoid users from requesting uploaded files straight away is to keep the file in a folder outside the root. However, the major disadvantage with this method is that after this server will be unable to access the file.
You can set permission and prevent hackers to access files by making changes in the .htaccess file, If somehow hackers upload a file this will prevent executing a file.
Sometimes you need to obtain input from the user in order to determine which file should be included in the PHP script. For example, suppose your site is called Site_languageuage.
if(isset($_COOKIE[‘Site_language’])){
$Site_language = $_COOKIE[‘Site_language’];
} elseif (isset($_GET[‘Site_language’])) {
$Site_language = $_GET[‘Site_language’];
} elseif (isset($_GET[‘Site_language’])) {
$Site_language = $_GET[‘Site_language’];
} else {
$Site_language = ‘english’;
}
$siteLanguagePath = “Language/”.$Site_language;
include($siteLanguagePath);
Now there is no security for the input of site_language, An hacker can take benefit of this and enter the path of the file that he wants to execute.
As a result, to guarantee that hackers do not upload any harmful files to the system, you must secure your input/upload feature.
While uploading to the server, it is a good idea to change the file’s name. Hackers would find it difficult to figure out the name of the file and then hack or download it from the server.
It’s possible to encrypt and decrypt files using a variety of methods, including md5, for example. Alternatively, you might use self-encryption to encrypt and decrypt file names.
You may secure your system by restricting or limiting the file size that can be uploaded. It will prevent users from uploading a huge file that would exceed the limit and cause problems to your system.
You can make these changes by using html as well as PHP script
Html:
<input type=’hidden’ name=’MAX_FILE_SIZE’ value=’100000′ />
PHP:
$max_file_size = 100000000;
if(!$file_size || $file_size > $max_file_size) {
echo “File size is more than maximum size limit”;
}
After successful authentication, you may also check session authentication and enable file upload functionality.
or
You can also add a captcha to provide security against automated scripts. There are still several techniques available to us to safeguard your server from hackers and prevent them from uploading harmful material –
– Check the mime type
– Use an anti-virus
– Use a combined protection
– Use a different subdomain for uploading purpose
Each day new techniques are discovered to stop hackers from such work so keeping you update is best practice to keep your data secure.
In website development, uploading a file (such as an image, zip, or PDF) is quite common, and PHP makes the procedure straightforward with the move_uploaded_file method. However, hackers are always looking for easy prey such as .exe, PHP, and script files. We hope that this blog helped you in some manner. Keeping up with the latest methods to defend yourself from such jobs is essential in order to keep your data secure.
Need expert solutions for your online project? Get in touch with our team of specialists today!
ABOUT THE AUTHOR