Join Kevin Skoglund for an in-depth discussion in this video Validating file types, part of PHP: Creating Secure Websites.
…In this movie, we'll learn how to use PHP…to allow only certain file types to be uploaded.…When we're validating file types, what we're talking…about is restricting uploads to specific file types.…The idea is to whitelist the file types that…we want to allow, and thereby disallow everything else.…So if we're expecting to get an image file,…then we would whitelist, only, the image file types.…If we want only PDFs, we would whitelist, only, PDFs.…This then, becomes a question of how do you tell a good file from a bad file?…It's not as easy it it first sounds.…
What if you have a text file?…Do you change the extension in the file name to .jpg?…It now looks like an image file if you just look at the file name.…Or what if you have a file that has two endings?…What if it's .php.jpg?…Or worse, what if you have a file that's a legitimate…image file which also contains hidden PHP code inside of it?…I'm sad to say that that is possible.…There is no bulletproof solution to validating file types.…So instead, we're going to deploy a number of different measures to try…
Author
Kevin Skoglund
Released
6/30/2014- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- SQL injection
- Encrypting and signing cookies
- Session hijacking and fixation
- Securing uploaded files
- User authentication
- Throttling brute-force attacks
- Blacklisting IPs
- Implementing password reset tokens
Skill Level Intermediate
Duration
Views
-
Introduction
-
Welcome1m 3s
-
Using the exercise files1m 8s
-
-
1. Security Overview
-
What is security?3m 37s
-
Security and PHP2m 56s
-
General security principles4m 24s
-
-
2. Securing Your PHP Installation
-
Keeping versions up to date2m 51s
-
phpinfo and phpMyAdmin4m 11s
-
Configure register globals4m 19s
-
Configure error reporting7m 52s
-
Configuring magic quotes3m 2s
-
Configuring safe mode3m 1s
-
Other configurations6m 34s
-
PHP on a shared host2m 50s
-
-
3. Filtering Input and Controlling Output
-
Validating input13m 18s
-
Sanitizing data11m 30s
-
Labeling variables2m 29s
-
Keeping code private7m 3s
-
Smart logging3m 40s
-
-
4. Defending against the Most Common Attacks
-
SQL injection7m 2s
-
URL manipulation1m 51s
-
Faked requests and forms6m 17s
-
Cookie visibility and theft5m 41s
-
Encrypting cookies8m 56s
-
Signing cookies5m 41s
-
Session hijacking and fixation11m 50s
-
Remote system execution7m 6s
-
PHP code injection7m 6s
-
File upload abuse9m 1s
-
Securing uploaded files9m 15s
-
Setting file permissions8m 39s
-
Limiting upload file size5m 39s
-
Validating file types9m 16s
-
5. Encryption and User Authentication
-
Password encryption7m 6s
-
Password requirements2m 14s
-
Authentication in PHP12m 59s
-
Throttling brute-force attacks10m 37s
-
Blacklisting IP addresses6m 42s
-
-
Conclusion
-
Next steps44s
-
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.
Share this video
Embed this video
Video: Validating file types