I'm creating a simple upload script so that clients can upload information about potential projects (such as pdf's, cad drawings, etc.) to my server instead of email (the size of these files are sometimes too big for email)
Here's what I have:
Client Side
Server Side
Now, of course this would be normally vulnerable. It looks to me, though, that I can set my upload folder permissions to 700 and be safe.
Am I wrong thinking this way? Is it possible that the server will somehow execute a file automatically? (Because I don't see a way that this could cause harm)
Here's what I have:
Client Side
Code:
<form enctype="multipart/form-data" action="script.php" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="10000000" />
<ul>
<li class="form"><label for="variable">Choose a file to upload: </label></li>
<li class="form"><input name="variable" type="file" /><br /></li>
<li class="form"><input type="submit" value="Upload File" /></li>
</ul>
</form>Server Side
Code:
<?php
$uploaddir = './upload/'; // Relative path under webroot
$uploadfile = $uploaddir . basename($_FILES['variable']['name']);
if (move_uploaded_file($_FILES['variable']['tmp_name'], $uploadfile)) {
echo "<p>File uploaded successfully</p>";
} else {
echo "<p>File uploading failed. Please use your browser's back button to return to the upload form.</p>";
}
?>Now, of course this would be normally vulnerable. It looks to me, though, that I can set my upload folder permissions to 700 and be safe.
Am I wrong thinking this way? Is it possible that the server will somehow execute a file automatically? (Because I don't see a way that this could cause harm)