There were several major changes in version 3.0+ that helped make Uploadify more secure. The most major of those changes was the removal of the folder option. Exposing the upload folder on the client-side was a bad idea. This time around, the upload folder is set in the uploadify.php file where it’s harder to discover.
Aside from hiding the upload destination folder, there are a few other things you can do to make your implementation of Uploadify more secure.
- Rename your uploadify.php file to something unique.
- Make sure the permissions of your upload folder are correct. If you’re unsure or what permissions to set them to, use 755.
- Do some file type checking in the uploadify.php script. Using only the fileTypeExts option is not enough as it is easily bypassed. There is some simple file type checking in the uploadify.php script that comes in the download package.
- Place your upload destination folder outside of the public html root… or if you can’t…
- Add a blank index.php file in the upload destination folder along with an .htaccess file with the following code:
12345order allow,denydeny from allOptions All -Indexes
- Use SSL if possible.