PHP File Upload - Ensure both file is uploaded AND database updated - 【StackMirror】|php|file-upload|xss|database-security

What are best practices for uploading files using PHP to ensure that a database is also updated?

Current approach

1) Form validation confirms all fields are of valid types, lengths and clean of xss attacks.

2) File uploaded to server with user submitted filename

3) Database updated with user submitted details including filename

Is that a safe way? Would it be better to update the database first, then query the database for the filename and then upload the file using the database-retrieved filename?

Not looking for code necessarily but rather the philosophy. Thanks!

2012-04-04 20:18
by csi

I would use this order:

First method: operation order dependent

Form validation
Check if file was uploaded (don't move it from temp, yet)
Generate new filename based on your free choice
Insert data about the file to database using newly generated filename
Only then, if there's not exception thrown, move the file from temp using filename above. Otherwise, file will be deleted automatically on request end
If file moving failed for some reason you should remove record from database.

I strongly suggest using some PDO-like library to "talk" to database as these throw exceptions, instead of raising errors (like mysql_** function). That way you will know for sure if your query succeeded without constantly checking result of database functions...

Second method: Transactions

Form validation
Check if file was uploaded (don't move it from temp, yet)
Generate new filename based on your free choice
Start transaction
"Insert" data about the file to database using newly generated filename.
Move the file from temp using filename above. If for some reason file move fails, throw an execption.
Commit transaction
At this point you're sure that both file is moved and data persisted properly.

2012-04-04 20:30
by Jovan Perovic

Thanks! PDO is always my weapon of choice. : - csi 2012-04-04 20:33

You're welcome. ;) I edited my answer to include transaction-wise method, maybe even better to use.. - Jovan Perovic 2012-04-04 20:45

Thanks for the transaction addition. Most helpful - csi 2012-04-06 17:13

Form validation is an essential part of any web application so it's good to see that on the list. You're combining two of the most risky elements of web applications here, file uploads and database interaction so you obviously need to tread carefully. I guess that's why you're asking!

My suggestion in terms of approach is firstly not to use user submitted filenames, that opens up a whole area of risk you don't need. Unless this is a required feature of your app, generate a new random filename in PHP and use move_uploaded_file to copy from the PHP assigned tmp_name to your new random filename.

Once you've performed this move you can update the database with the location of the file.

My approach would therefore be:

Strict validation of any user supplied input based on a whitelist ([a-z][A-Z][0-9] as a suggestion).
Avoid echoing user supplied data back to screen, if you do, output encode to HTML entities.
Avoid using user supplied data for input to the database or filename, generate a new filename which you control.
Handle the upload itself and, after performing some validation checks move the image to its new location as per your generated filename.
Update the database with the new filename.

I know you weren't after code but here are a couple of little snippets from a working file upload I have, it doesn't do the database part but that would be straightforward to add.

function generate_filename() {
    // could be improved upon really
    $random_string = random_string(8);
    $filename = $random_string . time() . ".jpg";
    return $filename;    
}



if ($_FILES["file_upload"]["size"] != 0) {
    $file_name = generate_filename();
    $file_path = "/" . $upload_directory . "/" . $file_name;
    $target_file_name = SITE_ROOT . $file_path; // SITE_ROOT is a constant for the file system location. This could be /var/www/images for example.

    if ($_FILES["file_upload"]["type"] == "image/jpeg") {
        if (getimagesize($_FILES["file_upload"]["tmp_name"])) {
            if (move_uploaded_file($_FILES["file_upload"]["tmp_name"],$target_file_name)) {
                exit_status("File uploaded successfully to $file_path");
            } else {
                exit_status("Eek, something went wrong with your image upload");
            }
        } else {
            exit_status("Not a valid image");
        }
    } else {
        exit_status("Invalid file type. We only support JPEG");
    }
} else {
    exit_status("You didn&rsquo;t specify a file to upload. Try again");
}

2012-04-04 20:54
by Marc Wickenden