Is allowing uploads of .php files dangerous if only the tmp files content is being used?

I'm not moving the tmp file to a 'live' (web-accessible) directory at all, simply doing a file_get_contents on the tmp file and running a few regexes against it (the code is never executed/run).

Could this be dangerous or pose any risks?

Answers


Since you’re not executing it, the file is nothing more than a plain text file. Check the file size and type as you would with any other data file and you should be safe.

If you later decide to make it web accessible (for whatever reason), make sure you set permissions on it (in a Linux environment) or change the file extension (under Windows) so that it cannot be executed.


This will somewhat depend on your environment.

File upload itself it not harmful unless your environment is not Windows. In that case, I'd employ an antivirus program to check the file before any processing is done on it.

Also, file size matters. file_get_contents will read the whole file into your server's memory at once. So, if the file is too big or your resources too low, you may run into errors.

That's probably all I'd be worried about if I'm not presenting uploaded content to my users.


Need Your Help

Remove everything around a given pattern

vim command-line

I have a text file with several columns separated by tabs, and thousands of lines like this:

Best practices for REST-API models

rest design-patterns model-view-controller model mvp

I am working on a REST-API and have run into an architectural problem.

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.