0

in all the tutorials I've read the file upload form is first submitted and then the file in the temporary directory is evaluated to decide whether it should be moved to the permanent directory ... my question is : what's the point of that ?

if the file was uploaded by an attacker and it's executable wouldn't it harm the system before it's evaluated and deleted ? other than that , does the user have to wait for the file to be uploaded just to find out that the file can't be uploaded because it doesn't have the expected format ?

I guess it's better to use some kind client-side code for that but I'm asking since no one was bringing that up as an option

(if it's better to evaluate the file using client-side code , how is it done ? )

thanks in advance

Pro Haitham
  • 89
  • 2
  • 9
  • Deciding that isn't _automatic_. It can be done by executing some PHP function, for example: `move_uploaded_file` – youngminz Apr 12 '16 at 05:07
  • I didn't say it is automatic ? – Pro Haitham Apr 12 '16 at 05:09
  • Are you saying extension filtering in Javascript? http://stackoverflow.com/questions/4234589/validation-of-file-extension-before-uploading-file However, you should verify the file in server-side although added verification code in client-side because client-side check can be invalidated by tools like Chrome's Inspector or etc. – youngminz Apr 12 '16 at 05:29

2 Answers2

1

First of all (really important): Always validate user input on the server side. But still you may validate user input additionally on the client-side (for usability reasons).

As you already assumed, it's for security reasons.

You don't really want unsecure files (e.g. PHP code or other bad stuff) in your 'production user files directory' as this could have some other effects (like maybe already affecting website statistics being displayed, etc.).

So before you move uploaded user files to the correct directory, you should definitely make sure that the file is okay according to your business rules (e.g. no executable code, maximum file size, etc.) and then move it. This temporary upload directory should always be non-public (meaning the web server not having access to it).

Andreas
  • 2,565
  • 20
  • 30
1

There are a few reasons for doing it this way.

Firstly, it makes it less likely for interrupted uploads to be left lying around (for example if the server experiences a power cut while the file is being uploaded).

Secondly, it ensures all files in your upload directory are complete. You won't read any partial data when you read files in your upload directory.

Finally it allows keeping files that have not yet been validated (for example like checking their file type) separate from those that have.

Chris
  • 4,832
  • 2
  • 17
  • 32