Hi,
I want to put upload.php in a folder (secure/) that is protected via .htaccess, since I do not want people to directly access this file. Only swfupload should be able to access this file, and only from localhost.
The htaccess only allows connections from localhost, so require_once() & include() to files in this directory works like a charm, since the requests come from localhost.
However, when I place upload.php in this folder and I put my upload_url to http://myhost.com/secure/upload.php, it show the Forbidden error code.
I don't know a lot about Flash, so maybe this is a really stupid question. Can anyone shed some light?
Thanks a bunch.
April 28, 2009 - 10:23am
Although Adobe claims this is supported by the Flash Player it doesn't actually work.
April 29, 2009 - 9:15am
That sucks... I'm no security expert, but it seems like a serious vulnerability...
Does anyone have an alternative to secure the upload.php, so that it is accessible by SWFUpload, but not by other scripts / people?
July 6, 2009 - 6:03am
I noticed this as well and it makes perfect sense actually.
I use coldfusion and not sure how the php crowd does their logins.
In Coldfusion we have a file called Application.cfc which runs before every request so that gives us an easy way to go this. Basically this files grabs the page that is being run and there i look to see if the page has /admin/ in it & if it does it checks to make sure the login session matches. Ok so thats what i had, I had to change it a bit to where it looks for to see if you are in the /admin/ subfolder but have it exclude the folder that I have the upload scripts in. And then that leaves that folder open to public so I gotta add another cfc in there so that the folder can't be browsed... easier then it sounds.