Reputation: 707
CMS upload picture files security issue
I have a quick question if anyone could help. I am building a CMS for a client where they can log in, and change content (including pictures via upload file form) that are all stored in a database.
My question.. I have been researching, and everywhere says I need to store the image files outside the root folder. Is this necessary in my case if only a few people will be uploading files, inside an admin panel, where they must first log in to the site? I will have already taken steps client side by making sure of file type, size, extension etc... then changing the name of the file before adding it to my DB... Is this secure enough, or am I asking for trouble down the road?
Thanks
Upvotes: 0
Views: 285
Answers (1)
Reputation: 3455
Its generally a good idea to store uploaded content someplace where it cant directly be addressed by a browser. You dont want someone uploading a .php file (or some other format you forgot to check for) and then being able execute it by pulling up the direct url. Rather, you'd have a wrapper script that delivered the file.
So yes, its a good idea, but not 'necessary' (by the dictionary definition of the word). You can certainly choose not to do so if in your judgement the admin area is otherwise secure.
That said, in the scenario you describe, as long as its only admin users who can upload images, I dont think its a huge deal either way.
btw, if you are not already, verify the images by their file headers or content, not file extension.
Upvotes: 1
Related Questions
- PHP File Upload security
- how to secure this image upload code
- PHP Secure Image Upload - Additional code?
- php security issue - file uploads
- Php file image upload security
- Secure image upload PHP
- image upload security
- File upload security vulnerability
- PHP uploading an image with my CMS?
- Upload images from my server to password protected site