RE: RE:(2) File Upload Security Question

I am also interested in giving users the ability to upload files to my website. Is it safe to allow users to upload a file as long as I name the file myself? I have an art business and I usually do drawings from photos. Ideally, I would like visitors of my site to be able to submit an image file to my site so I could give them a price quote for a drawing (or painting, etc). Do I need to take other precautions as well? Thanks, Rad (an humble newbie in Dallas)

Comment on RE: RE:(2) File Upload Security Question

Replies are listed 'Best First'.
RE:(4) File Upload Security Question by swiftone (Curate) on Jun 13, 2000 at 00:15 UTC
Is it safe to allow users to upload a file as long as I name the file myself? In general, yes (be sure to also control _where_ the file is going). Read up on perlman:perlsec and http://www.w3.org/Security/Faq/wwwsf4.html	[reply]
RE: RE:(4) File Upload Security Question by Anonymous Monk on Jun 13, 2000 at 16:34 UTC
Thank you. That is just what I needed to get going. Gratefully, Rad	[reply]
Re^3: (4) File Upload Security Question by Mr.Clean (Initiate) on Mar 10, 2008 at 21:28 UTC
Not always. There is a class of vulnerabilities known as Arbitrary File Upload. What an attacker will do is, put in the source code for a PHP shell(a web application used to manipulate a server) into a text document and then name it "name.php.jpg". what this is doing is disguising the shell as a JPEG image. This file will be uploaded unless your web application sanitizes the inputted file. So make sure that your web application does sanitize the file by making sure that the data that the file holds is of correct extension.	[reply]