Creating a SECURE file manager with PHP
(Page 3 out of 3)Other various changes
The index file which shows a list of all the uploaded files, using the dir class, needs a small fix as well, because all the files have a .php extension. All we need to do is strip away the .php extension, which takes very little code:
Another thing I added to the new secure file manager is the following code, which disables the 'Magic Quotes' problem, whereby slashes were being added to any files that were being edited.
function stripslashes_deep($value)
{
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
return $value;
}
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
}
The above code first checks if magic quotes is enabled, and if it is, it removes all slashes from the POST, GET and COOKIE variables.
Another way to add an extra layer of security is to place a .htaccess file in your upload directory, with the following contents:
AuthType Basic
AuthUserFile /non/existing/path/.htpasswd
Require valid-user
This will password protect the upload directory, except there is no password file, so no-one will be able to access it. It's just an extra layer of protection on top of our other measures.
Conclusion
In this follow-up tutorial I've shown you how to create a file manager that's 100% secure, and in no way "hack-able". Just to remind you, the following ways can be used to protect your upload directory (ranging from highest level of safety to lowest):
1. Put your upload directory in a non-public place, like above your webroot
2. Use a .htaccess file to password protect the upload directory, making it impossible to be read by anyone.
3. Use the PHP security measure we created in this tutorial. One disadvantage is that it will make your files up to 33% bigger (due to the base64 encoding).
If you use any of the above measures, or even several together, your file manager is guaranteed to be secure!
If you want to download the complete SECURE file manager, click here to download the source and click here to view a live demo, although it's exactly the same as the demo of the previous tutorial. If you're interested in testing the security measures, the upload directory of the demo is located at http://phpit.net/demo/creating%20file%20manager%20php/upload/.
If you have any comments or questions on this tutorial, feel free to drop them below or join us at PHPit Forums.
February 22nd, 2006 at 8:56 pm
Sexy, just getting started with the whole web development thing, very excitng. i enjoyed this tutorial.
February 22nd, 2006 at 11:01 pm
Just wondering if i might get a response on this question. I get a security error when i try to do anyhting with the files, be it edit, or delete, or download. ID this due to folder restrictions, i have the permissions at 777. or should i try locating the uploads folder above my web directory as you stated in this tutorial?
April 4th, 2006 at 8:24 pm
What if instead of downloading the file, I want to use the file as an image source? For example: img src=’uploaded_file.php’ ?
August 1st, 2006 at 10:07 am
thanks very much i got a way for security purpose in files .
but can you tell me how we can upload mpeg files
August 11th, 2006 at 9:16 pm
For PHP 4.3 and higher, you can use file_get_contents() to get the file contents as a string instead of having to use implode() with file().