When you allow users to upload files
to your website, you are putting yourself at a security risk. While nobody is ever completely safe, here are some precautions you can incorporate to make your site safer.
- Check the referrer: Check to make sure that the information being sent to your script is from your website and not an outside source. While this information can be faked, it's still a good idea to check.
- Restrict file types: You can check the mime-type and file extension and only allow certain types to be uploaded.
- Rename files: You can rename the files that are uploaded. In doing so, check for double-barreld extensions like yourfile.php.gif and eliminate extensions you don't allow, or remove the file completely.
- Change permissions: Change the permissions on the upload folder so that files within it are not executable. Your FTP program probably allows you to chmod right from it.
- Login and Moderate: Making your users login might deter some deviant behavior. You can also take the time to moderate all file uploads before allowing them to become live on the web.