Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Uploading and Emailing Files - Security Issues

Status
Not open for further replies.
MrTBC

MrTBC

Technical User
Nov 19, 2003
610
0
0
US
Hi there.
I'm a total PHP newbie after some advice please...

I've customised part of a commercial PHP script that I bought to create a Job Listing website.

The script provides a contact form that calls a function which sends information by email. I've added to this script so that the sender can upload a Resume and send this as well.

I'd just like someone who knows a bit more PHP than me to check that I'm not at any kind of security risk with this please:

I've added this to the existing form in the TPL file:

enctype="multipart/form-data"

<input type="hidden" name="MAX_FILE_SIZE" value="100000" />

<input name="userfile" type="file" />

I then pass these additional items to the email function call in the PHP file:

$_FILES['userfile']['tmp_name']
$_FILES['userfile']['name']

These give the attachment location and name respectively.

Presumably because the file stays temporary it's automatically deleted after use?

Anything to worry about?

Thanks guys.




 
Sort by date Sort by votes
the file is deleted immediately after the script closes (unless php unexpectedly crashes before).

there is no security issue per se in having the form and the script as you have described them.

the thing to be careful of with email is header injection where an end user can corrupt your comments box or similar and cause it to act a bit like an open relay.

for example if someone typed the following in as their email address
Code: 
someone@example.com; \nTo:spam@example.com;\nTo:spam2@example.com

if your script just took this field value and inserted it into the header with the usual "From: " prepended then this would be a successful header injection (i haven't double checked the mail syntax, but you get the idea). so the answer is: never never trust user input or other data that is not end-to-end in your control. cleanse each piece of incoming data, escape it where you need to, test it against the kind of value you're expecting etc before using it in any sql query, mail script, file write, system or eval script etc.
 
Upvote 0 Downvote
Thanks that's really helpful.
So I should write some script to check for slashes, commas, and multiple @ symbols and display an error and log their IP if found?
 
Upvote 0 Downvote
only if you are using any user input in the headers.

and if you are, i would think it better to use a proper expression to check for a valid email address. regex does this well - have a look at for examples of good regular expressions.

but ... if these things become a concern then i'd recommend phpmailer (phpmailer.sourceforge.net) which more or less sorts it all out for you.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

c0deM0nK424
  • Locked
  • Question
Gutenberg Block Editor - page edits and updates not working since wp site migration
Replies
1
Views
195
spamjim
spamjim
lexer
  • Locked
  • Question
Fetching Data from Mysql and filling Inputs in a Form
Replies
0
Views
54
lexer
lexer
Gerrit Broekhuis
  • Locked
  • Question
PHP form with captcha and file upload
Replies
4
Views
81
Gerrit Broekhuis
Gerrit Broekhuis
PeDa
  • Locked
  • Question
PHP and CSS media queries 1
Replies
2
Views
141
PeDa
PeDa
waubain
  • Locked
  • Question
Delete all of todays files in folder except for file dated closest to 12 noon
Replies
1
Views
62
waubain
waubain

Part and Inventory Search

Sponsor

Back
Top