0

I have a form in my website where users can upload files in TXT. These files are always PHP file that I request users to change the extension so it will make no harm to the server (which is running APACHE + PHP).

The file has to be uploaded to the www directory cause later they can download the file if necessary. I cannot save the file in the root (above public_html) cause the user has to have access to download the file at anytime. The problem is that when the user opens the URL containing the PHP file it would be executed and it would big a hole in the security.

So far I am asking users to upload the file as txt but I want to make it more professional and allow them to upload it as *.php. How can I prevent attacks of people uploading files with security theatens from damaging my server?

Thank you.

Improve this question
2
  • If you're blindly serving random PHP files, you're asking for trouble. Commented Jul 26, 2013 at 17:14
  • I need to serve random PHP files, but I want the ability to create for example some directory or someplace where the PHP are not interpreted! Commented Jul 26, 2013 at 17:16

3 Answers 3

Reset to default
1

I would suggest you upload them as .phps files, when you typically view them, they will be syntax highlighted PHP files, and wont be executable.

If PHPS files don't naturally work on your webserver, you can try this: https://kb.mediatemple.net/questions/1655/How+do+I+enable+.phps+file+to+be+color+highlighted%3F

Disable PHP

Alternatively you can upload them to another directory, and disable PHP with .htaccess by setting the following in the .htaccess file for that directory.

php_flag engine off
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

That's a good idea, but the point here is not asking users to change the extension. I would like the ability to allow users to upload PHP files and download them later. Thank you anyway :)
You can upload to another directory below www, and disable php in that dir, check my edit ALSO you can make your script make them phps files, you don't need to get the user to change them.
Can I upload only one htaccess to that directory and it will take effect only in that directory?
0

Let them upload as PHP then when moving the temp uploaded file to it's permanent home make the name something like myfile.php.source. On the download page, don't just link to the files, stream them that way you can force a download versus loading the page in a browser and you can control the way it is delivered in the header eg:

header("Content-Disposition: attachment; filename=\"$file\"");

Hope that helps

Improve this answer

2 Comments

Also ... when you store the files set the permissions so that the apache server cannot execute them.
It's too complicated. The other answer is easier to me. Thank you anyway!
0

Create a folder and set the php to upload all the script files there.

Set the folder permissions to 744.

That prevents any file in that folder to be executed.

Improve this answer

3 Comments

How do I change permission of the file? I am in a shared host... can I change the perission only with PHP? I know that using FTP I can do that but did not know that it's possible with PHP! Thank you!
I tested before posting. I used that technique in the old days CGI was commonly used, and apparantly it still works today for php scripts.
file permissions can be changed using php with the chmod command: php.net/manual/en/function.chmod.php

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.