Hacking my web IMing program
Ok, I just have a question for the more advanced hackers around here. I am creating a web instant messaging program and I plan to allow for people to upload any type of file so they can share them. I am aware that people can upload harmful php files that can damage my server, but that is why I plan on using a .htaccess file to force-download any file in the uploads folder. This way, if people upload a harmful php file, then go to it, they can't harm the server because they have to download it and are not able to run it on the server. However, I don't know if this can be fooled. So, can it or can it not?
excellent plan. its the same method other big file upload websites use.
also hiding hte actual directory its uploaded in is good.
like store the files in /uploads/as8d9y283gajhgsdads/files/
and link the person to.. /uploads/ then with the .htaccess you can get it to isntantly download from /as8d9y283gajhgsdads/files/ instead. thats also how file upload websites work.
in answer to your question, the htaccess thing is pretty secure. unless they find other methods on your site to run it from, such as a local file include exploit or something.
hope that helps.