Discussion:
Best Secure practice for uploading a csv file to import
Joey J
2013-10-19 22:57:16 UTC
Permalink
Hello All,

I just wanted to see the best way to securely accomplish this task.
when we want to update a DB we upload to a writable directory instead of
writing it directly to MySQL, I don't like having writable directories if
possible.
Is there a right or better way to accomplish this?

Thanks!
--
Thanks!
Joey
Ashley Sheridan
2013-10-19 23:06:26 UTC
Permalink
Post by Joey J
Hello All,
I just wanted to see the best way to securely accomplish this task.
when we want to update a DB we upload to a writable directory instead of
writing it directly to MySQL, I don't like having writable directories if
possible.
Is there a right or better way to accomplish this?
Thanks!
There's nothing inherently wrong with having a directory writeable on
your web server, but you should ensure it's running with the least
privileges it requires to complete your task.

So, make sure that the Apache user is also the owner of the directory,
then you only need to give it 755 permissions (it's always unwise to use
777 on a production server).

Another thing you can do is to place the upload directory outside your
web root so that it's not accessible via a browser.

I can see why you wouldn't want to import it directly into the database
though. I recently had to "fix" a script of mine because someone thought
it would be a good idea to change the order of a bunch of fields in a
CSV, and added a new field in the middle rather than at the end. Having
a script in between the CSV and the database can ensure some sort of
data quality check is in-place before importing bad data.

Thanks,
Ash
http://www.ashleysheridan.co.uk
Joshua Kehn
2013-10-19 23:40:23 UTC
Permalink
Post by Ashley Sheridan
Post by Joey J
Hello All,
I just wanted to see the best way to securely accomplish this task.
when we want to update a DB we upload to a writable directory instead of
writing it directly to MySQL, I don't like having writable directories if
possible.
Is there a right or better way to accomplish this?
Thanks!
There's nothing inherently wrong with having a directory writeable on
your web server, but you should ensure it's running with the least
privileges it requires to complete your task.
So, make sure that the Apache user is also the owner of the directory,
then you only need to give it 755 permissions (it's always unwise to use
777 on a production server).
Another thing you can do is to place the upload directory outside your
web root so that it's not accessible via a browser.
I can see why you wouldn't want to import it directly into the database
though. I recently had to "fix" a script of mine because someone thought
it would be a good idea to change the order of a bunch of fields in a
CSV, and added a new field in the middle rather than at the end. Having
a script in between the CSV and the database can ensure some sort of
data quality check is in-place before importing bad data.
Thanks,
Ash
http://www.ashleysheridan.co.uk
Good points by Ash above.

I'd like to mention that because this is user input make sure any database access is escaped correctly (prepared statements are good) and when/if you output it should all be HTML escaped.

Best,

-Josh
___________________________
http://byjakt.com
Currently mobile
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Loading...