File Handling

Everybody uses include files, they make life easier. However, a common issue I have seen on various jobs is that people use some custom extention for include files like .inc, .txt or stuff like that. The problem with that is one must make sure that any important information, such as hard coded passwords, database connection strings, encryption algorithms and the like must not be kept in them. That type of info must be kept in local configuration files or server parsable files so, if called up directly in a browser, it won't just display in the browser in plain old text.

You may be surprised how often I have got set up to do a job, called up a local include file in my browser and got all sorts of information a surfer simply shouldn't get. Be safe, keep includes in an include that is parsed by the server, or, resides outside the web root.

When handling file uploads from a user you are setting yourself up for problems. You must check the uploads to make sure they are what is expected. The easy way is to check the file extension on upload...but that isn't the best way. The best validation for checking files is to check the MIME type...or, check both.

If you are accepting image uploads, make sure of two things; those being that the extention is gif, jpg, png or jpeg (or whatever extensions you wish to allow) and make sure the string "image/" is in the MIME type.