I am trying to develop a small social network and would like to know if the following approach would be enough to make my 'file upload handling script' as secure as possible. I aim to allow my users to upload images[jpeg,jpg,png,gif], videos[3gp,wma,mp4] and mp3 files. I have gone through many of the questions here at SO, but most of them seem to deal with image uploading in detail and not videos and mp3. I would like to know what more i can do anything to make the script the msot secure uploading script available. [yes, i am pretty paranoid about security and would definitely want my site to be known for it's security rather than it's speed]. My current approach is as follows:
- check if user is registered (by checking the session)
- check if file is uploaded without errors
- check if file size is in permissible range
- sanitize the file name
- get the file extension and check if it is an allowed extension
- get the mime type and check if it is an allowed mime type
- generate new random file name
- set .htaccess rules for a folder outside public_html and use it to store the uploaded files
- use move_uploaded_file()
- use chmod() to set '0644' as permission for the uploaded file
In the .htaccess file the following will be added:
SetHandler none
SetHandler default-handler
Options -ExecCGI
php_flag engine off
ForceType application/octet-stream
<FilesMatch "(?i)\.jpe?g$">
ForceType image/jpeg
</FilesMatch>
<FilesMatch "(?i)\.gif$">
ForceType image/gif
</FilesMatch>
<FilesMatch "(?i)\.png$">
ForceType image/png
</FilesMatch>
<FilesMatch "(?i)\.mp3$">
ForceType audio/mpeg
</FilesMatch>
<FilesMatch "(?i)\.mp4$">
ForceType video/mp4
</FilesMatch>
The code that i am trying is as follows :
$fileInput = $_FILES['image'];
$sizeLimit="4000";
if($fileInput['error'] === UPLOAD_ERR_OK && isset($fileInput['tmp_name'])){
if($fileInput['size'] < $sizeLimit){
$cleanedName=stripslashes($fileInput['name']); //cleaning file name
$checking = pathinfo($cleanedName); //finding extension
$ext=$checking['extension'];
$finfo = finfo_open(FILEINFO_MIME_TYPE); // find mime type
$mimetype = finfo_file($finfo, $fileInput['tmp_name']);
finfo_close($finfo);
.
.
.//generate random name and use move_uploaded_file() and chmod()
}
}
Is this approach enough to keep my site secure,or are there some glaring flaws in this method?. Thanks in advance for your help.
