file import security issue

Question

i have one question

when we give option to web user to import data into mysql table, is this secure?

for example

    <form method="post" action="import.php" enctype="multipart/form-data">

    <input id="file1" name="file1" type="file">

 <input type="submit" name="button" id="button" value="Submit" >
    </form> 

and in import.php we have following code

        <?php
       $theFile = $_FILES['file1'];
         $tmp_name1 = $theFile['tmp_name'];
        $row = 1;
        if (($handle = fopen($tmp_name1, "r")) !== FALSE) {
        while (($data = fgetcsv($handle, 1000, ",")) !== FALSE) {
         $num = count($data);

        // SQL insert statement
        }
        fclose($handle);
        }

my question is, if some one upload any script or .exe or virus this will go to web server temp directory how we can secure it?

what will be safe way ?

Thanks

Answer 1

Nothing in that code executes the file so there won't be a problem in that part. As for whether or not there will be a problem once the file is extracted, that's a separate issue.

Answer 2

As long as you don't execute any files, and don't move them to a location in which they can be accessed from the outside (i.e. a folder in your web site), there is no security problem, no matter what the files contain.

You just need to be very careful, and not trust any files that come in this way when you do whatevwer you want to do to the files. Never execute them, for example. Never put them into a location from which they could be executed (e.g. .php files in an unsecured download directory).

Otherwise, it really depends on what you want to do with the files. There is no quick and easy Virus Checking solution in a standard Linux / Apache / PHP setup.

For a full rundown on what can be done to make file uploads as secure as possible, check out this question, the replies to it and especially the link in bobince's reply.

Answer 3

That is not secure. At the very least you need to verify that the file was indeed an uploaded file and not a file already on the server like /etc/passwd. To do that you need to use is_uploaded_file().

Example:

<?php
if (is_uploaded_file($_FILES['file1']['tmp_name'])) {
    $tmp_name1 = $_FILES['file1']['tmp_name'];
    if (($handle = fopen($tmp_name1, "r")) !== FALSE) {
        while (($data = fgetcsv($handle, 1000, ",")) !== FALSE) {
            $num = count($data);

            // SQL insert statement
        }
    fclose($handle);
    }
}

?>

You also should rename any file uploaded to your server as leaving the name of the file unchanged could lead to remote file attack where someone executes the file on your server.

Finally, if the file upload is only supposed to accept certain file type, like images, then you should definitely check to make sure the file is actually an image. At the very least check the file extension to make sure it is a .png, .gif, .jpg, etc. If it is a .exe then reject it immediately as it is obviously is not an image and thus of no use to you.

<?php
    if (is_uploaded_file($_FILES['file1']['tmp_name'])) {

        $allowedExtensions = array("txt","csv","htm","html","xml","css","doc","xls","rtf","ppt","pdf","swf","flv","avi","wmv","mov","jpg","jpeg","gif","png"); 
        if (!in_array(end(explode(".", strtolower($_FILES['file1']['name']))), $allowedExtensions)) { 
            // Bad file type. Error!  
        }
        else {
            $tmp_name1 = $_FILES['file1']['tmp_name'];
            if (($handle = fopen($tmp_name1, "r")) !== FALSE) {
                while (($data = fgetcsv($handle, 1000, ",")) !== FALSE) {
                    $num = count($data);

                    // SQL insert statement
                }
                fclose($handle);
            }
        }
    }
?>