hi there , i was wondering on security of file uploads , i am currently
using the pear uploader class , i can check for allowed file
extensions ,
but it doesnt seem to check for file type , i can currently rename say
an
image to zip and it uploads , is there anyway a hacker could rename an
executable to a zip and able to upload it and execute it ?
I can't address your specific question but here are a couple of
recommendations:
-Rename the uploaded file so that the user won't know what it's called
on the server.
-Store the file outside of the Web directory so it's not accessible via
HTTP.
Hope that helps,
Larry
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php