Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

Need General Security Advice for Upload Module Coding
 View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
Gremmie
Former Moderator in Good Standing



Joined: Apr 06, 2006
Posts: 2415
Location: Iowa, USA
PostPosted: Tue Apr 11, 2006 5:18 pm Reply with quote
I'm new to this stuff, but I know enough to ask for advice. Smile

I am working on an upload module. I am running a 7.9 PHP-Nuke with the 3.2 patches. I have Sentinel installed.

My idea is to let the user upload a file into a holding area, and the user sends along similiar info as for the Downloads module. This info will be inserted into a new pending uploads table. Once the admin approves the upload, the file is moved to a downloads area, and the info from the pending uploads table is inserted into the existing downloads module table(s).

I've started coding the upload part and initial form and its going well. But I would like to ask the security experts here what I should do to make this script safe.

I am hoping I can make calls into the existing PHP-Nuke code base to use the security graphic. True?

I am going to filter() all the form data.

I am going to check the MIME type and file extension against configurable allowable arrays.

I am going to set up an upload area disk space quota and not accept uploads if this is exceeded.

Any advice? Thank you.
 
View user's profile Send private message
Guardian2003
Site Admin



Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
PostPosted: Tue Apr 11, 2006 5:31 pm Reply with quote
There are a number of upload modules currently available. Some cater specifically for uploading like UploadIt and others such as NSN GR Downloads which is a replacement downloads module with an upload facility and I think Enhanced Downloads Module (EDL) also has an upload facility.

You say you are new to this, so I admire your courage and you have my respect for getting this far BUT my recommendation will have to be - unless your are very experienced with PHP don't do it for use on a production site.
Use something like NSN GR Downloads and tweak that to suit your needs.
 
View user's profile Send private message Send e-mail
Gremmie
PostPosted: Tue Apr 11, 2006 5:51 pm Reply with quote
Thank you for the advice.

I've looked at UploadIt; it appears, even to my untrained eye, very simplistic and doesn't do much checking. It also has a few obvious typos and mistakes in it.

I'd like to try NSN GR Downloads, but it isn't advertised for 7.9. I also need NSN Groups, which also isn't advertised for 7.9.

Anyway, I thought I would use this as a place to learn. So, assuming you can't talk me out of it, are there some general security coding guidelines I should follow? Or should I just study the source of say NSN GR Downloads?
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©