uploading files and security

[Anthony Blackburn]

I have a form on a page, made with FP2003, running on a server swith FP
Extensions and running IIS.

My concern is on the form, which is as www.goapple.com/order.htm, that if I
add an upload to the form, that I will open myself up to threats.

Can anyone discuss best security practices for uploading attachments on a
form?

Thanks

 

[Ronx]

For maximum security - Don't allow uploads.

Otherwise:
Use a custom written server side script (asp, PHP, Perl/CGI) supported by
your host (or adapt a script that you can find) that will restrict the file
extensions, filenames, and file sizes. Filenames should be restricted so
that names such as foo.exe.jpg are excluded. The FrontPage upload
component does not qualify here.

Only allow uploads from registered users - do not allow self-registration.
This will require a database for registered users along with the necessary
logon scripts and restricted access to pages. Always vet users before they
are placed in the database as active users.