Php – Sending file contents in $_POST with PHP

filePHP

I'm developing a PHP script to send the content of a file from one script to another. In PHP usually it's used the $_FILE array that contains any uploaded file submitted in a form. But I didn't needed a form so I came up with something a little different:

// pseudo function names ahead

$content = file_get_contents(FILE_TO_SEND);
send_file_with_curl(base64_encode(gzcompress($content)));

So this basically fetches the content of the file, then compresses it with gzip compression and then base64 encodes it. Then everything is sent with a cURL POST request. On the other side I get sent content base64 decode it, uncompress it and everything comes back untouched.

So my question is: Is there any downside in doing things this way? Are there any security or integrity concerns I might be overlooking?

I forgot to mention that I also send an md5 digest of the file to check if the transfer went ok. And files to be sent will never be more than 3Mb of size.

Thanks in advance for all your answers.

Best Answer

I've found that the HTTP PUT method is nice for these kind of things. You surely don't need to encode the file, and most likely should not bother with compression, etc... There is no practical size limit to the following. It is fast and uses a fixed amount of memory regardless of the file size.

This function will HTTP PUT a file from the local disk to a remote URL

//Specify the location of a tmp file
function PutFile($sName, $sFile)
{
    $URL = "http://MY-SERVER/PutFile.php?FileName=" . urlencode($sName);

    $FILE = fopen($sFile, 'rb');

    $curl = curl_init($URL);
    curl_setopt($curl, CURLOPT_HEADER,0);
    curl_setopt($curl, CURLOPT_PUT, 1);
    curl_setopt($curl, CURLOPT_INFILE, $FILE);

    ob_start();
        curl_exec($curl);
        $sReturn = ob_get_contents();
    ob_end_clean();

    curl_close($curl);

    fclose($FILE);

    return $sReturn;
}

On the remote end, this is PutFile.php

<?php

$Name = (get and **validate** file name from $_GET['FileName'];
$Path = /somewhere/to/put/the/file/ + $Name

set_time_limit(3);

$f1 = fopen('php://input', 'rb');
$f2 = fopen($Path, 'wb');

while($data = fread($f1, 4096))
{
    fwrite($f2, $data);
}

fclose($f1);
fclose($f2);

echo "Success\n";

If you do not want to write it to disk, but work with it in memory, you could simply use file_get_contents('php://stdin').

Correctly setting up the connection

Note that when using PDO to access a MySQL database real prepared statements are not used by default. To fix this you have to disable the emulation of prepared statements. An example of creating a connection using PDO is:

$dbConnection = new PDO('mysql:dbname=dbtest;host=127.0.0.1;charset=utf8', 'user', 'password');

$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

In the above example the error mode isn't strictly necessary, but it is advised to add it. This way the script will not stop with a Fatal Error when something goes wrong. And it gives the developer the chance to catch any error(s) which are thrown as PDOExceptions.

What is mandatory, however, is the first setAttribute() line, which tells PDO to disable emulated prepared statements and use real prepared statements. This makes sure the statement and the values aren't parsed by PHP before sending it to the MySQL server (giving a possible attacker no chance to inject malicious SQL).

Although you can set the charset in the options of the constructor, it's important to note that 'older' versions of PHP (before 5.3.6) silently ignored the charset parameter in the DSN.

Explanation

The SQL statement you pass to prepare is parsed and compiled by the database server. By specifying parameters (either a ? or a named parameter like :name in the example above) you tell the database engine where you want to filter on. Then when you call execute, the prepared statement is combined with the parameter values you specify.

The important thing here is that the parameter values are combined with the compiled statement, not an SQL string. SQL injection works by tricking the script into including malicious strings when it creates SQL to send to the database. So by sending the actual SQL separately from the parameters, you limit the risk of ending up with something you didn't intend.

Any parameters you send when using a prepared statement will just be treated as strings (although the database engine may do some optimization so parameters may end up as numbers too, of course). In the example above, if the $name variable contains 'Sarah'; DELETE FROM employees the result would simply be a search for the string "'Sarah'; DELETE FROM employees", and you will not end up with an empty table.

Another benefit of using prepared statements is that if you execute the same statement many times in the same session it will only be parsed and compiled once, giving you some speed gains.

Oh, and since you asked about how to do it for an insert, here's an example (using PDO):

$preparedStatement = $db->prepare('INSERT INTO table (column) VALUES (:column)');

$preparedStatement->execute([ 'column' => $unsafeValue ]);

Can prepared statements be used for dynamic queries?

While you can still use prepared statements for the query parameters, the structure of the dynamic query itself cannot be parametrized and certain query features cannot be parametrized.

For these specific scenarios, the best thing to do is use a whitelist filter that restricts the possible values.

// Value whitelist
// $dir can only be 'DESC', otherwise it will be 'ASC'
if (empty($dir) || $dir !== 'DESC') {
   $dir = 'ASC';
}

Python – How to check whether a file exists without exceptions

If the reason you're checking is so you can do something like if file_exists: open_it(), it's safer to use a try around the attempt to open it. Checking and then opening risks the file being deleted or moved or something between when you check and when you try to open it.

If you're not planning to open the file immediately, you can use os.path.isfile

Return True if path is an existing regular file. This follows symbolic links, so both islink() and isfile() can be true for the same path.

import os.path
os.path.isfile(fname)

if you need to be sure it's a file.

Starting with Python 3.4, the pathlib module offers an object-oriented approach (backported to pathlib2 in Python 2.7):

from pathlib import Path

my_file = Path("/path/to/file")
if my_file.is_file():
    # file exists

To check a directory, do:

if my_file.is_dir():
    # directory exists

To check whether a Path object exists independently of whether is it a file or directory, use exists():

if my_file.exists():
    # path exists

You can also use resolve(strict=True) in a try block:

try:
    my_abs_path = my_file.resolve(strict=True)
except FileNotFoundError:
    # doesn't exist
else:
    # exists

Best Answer

Related Solutions

Php – How to prevent SQL injection in PHP

Correctly setting up the connection

Explanation

Can prepared statements be used for dynamic queries?

Python – How to check whether a file exists without exceptions

Related Topic