What Php Functions To Use To Build A Secure File Upload Form ?

[The Code Queryer]

Php Folks,

I want to allow my website members to login to their accounts and upload files to my server so other members can view them. Files such as text files, image files, audio files and video files. But not program files or executable files.
Now, what features must my File Upload Form have ?
I need a complete list of Php features it must have. I need you to give me a complete list of Php Functions the File Upload Form must make use of.
Kindly list as many Php features and functions you can think of that my File Upload Form must have in order for it to be a Secure File Upload Form so no one can upload malicious files (virus, programs, etc.).
I am going to get the File Upload Form developed by a paid programmer. I need to give the programmer a list of features the File Upload Form must have. Here is my list of REQUIREMENTS so far:

REQUIREMENT 1:
Add filters and sanitizations so malicious files cannot be uploaded. Nor can sql injections can be made.

REQUIREMENT 2:
Only file types from White-List should be uploaded. Any File Types not listed on this White-List should be discarded and not uploaded. Error should be given that this type of file is not allowed to be uploaded.

REQUIREMENT 3:
Uploaded File should not be more than 100MB. Echo error if File Sizes exceed limit & halt script.
MUST check File Size with function: file_size():
https://www.php.net/...unction.filesize.php

REQUIREMENT 4:
Set a maximum name length and maximum file size – Make sure to set a maximum name length and file size in order to prevent a Denial of Service attack.
If you do not know what I am talking about then read number "6" on the following link:
https://www.opswat.c...ction-best-practices

REQUIREMENT 5:
MUST make use php of function getimagesize() for security purpose.
https://www.php.net/...ion.getimagesize.php

REQUIREMENT 6:
Write to the file when you store it to include a header that makes it non-executable.
If you do not understand what I am talking about then read the line on the following link that comes just after the CONCLUSION section.
https://www.wordfenc...oad-vulnerabilities/

REQUIREMENT 7:
MUST STORE all errors and DISPLAY all errors using traditional:
"Errors[] = "";.
On my script, fix my error coding mistakes related to the following format as I have no clue how to fix all that to store errors and display them.
"Errors[] = "";.

REQUIREMENT 8:
To detect File Details, should use php functions:
file_info() & mime_content_type():
https://www.php.net/...ction.finfo-file.php
https://www.php.net/...ime-content-type.php
Script Files (executable files) should not be uploadable. Only text files (.txt, .doc, .pdf, etc.), image files (.giff, .jpeg, etc.), audio files (.mp3, etc.) and video files (.mp4, .wav, etc.).

REQUIREMENT 9:
Script should check whether file upload was successful or not.
MUST check with upload with function: is_uploaded_file().
http://php.net/manua...is-uploaded-file.php
NOTE: After the check, user must get notified whether file has been uploaded successfully or not.

END OF REQUIREMENTS

Q2.
Should I get the programmer to add security features from other languages ? Currently, all my REQUIREMENTS revolve around Php as that is the only programming language I am learning. I do not have experience in any other languages. Server-side or Client-side.
Now, do you reckon I should get the programmer to add security features on Client-side ? If so, program in which language and make use of which functions from that language ? Can you give me a complete list ?

Q3. For security purpose, should I even bother getting the programmer to turn the current File Upload Form into an Ajax form ?

Q4. For security purpose, should I even bother getting the programmer to add Json or Jscript ? Are they really necessary ?
If so, which features and functions must be used to make the File Upload Form more secure ?
(I was just youtubing to learn more about Ajax and what is Json or Jquery and so I am very raw in these 3 fields. Hence, need your advice whether of these 3 should be added or not and what features and/or functions must be added from them 3).

Q5. Which language was used to build youtube you reckon and which of the functions were used from the language/s, you reckon ?

Q6. If you were in my position then which languages would you make use of and which functions and features of these languages would you make use of ? I need your complete list.

Thanks

[Shades]

Is it perhaps not a better idea to look at open source projects (and their code), which already do this kind of functionality? Nextcloud would be a decent enough place to start looking for code that handles user login, uploading of files (securely) and how they share this content among users/user groups etc. I think you can run it on a (very) recent version of the XAMPP development environment on Windows. But you could also create a VM with Linux and the test envelopment requirements.

I know for sure that the Ubuntu Server LTS iso installer has an option that says if you want to create a LAMPP (Linux Apache MySQL, PHP Perl) setup. For the rest you can use the default settings provided by the installer, those are very usable from the get-go. Skip any of the GUIs and you have a 4 GByte VM that works excellent for web development. If you plan to test a lot at once, better reserve 8 GByte of space for this VM. Assigning 1GByte of RAM to this VM is more than enough for simple development. It is slightly more work than installing XAMPP, but works well. And you bare coding against Linux, which is the most likely OS your host is using, so you won't have to do as much troubleshooting your code base.

There are other open source file sharing projects you could take a look at, in case NextCloud isn't your thing. Google is your friend.

[The Code Queryer]

Is it perhaps not a better idea to look at open source projects (and their code), which already do this kind of functionality? Nextcloud would be a decent enough place to start looking for code that handles user login, uploading of files (securely) and how they share this content among users/user groups etc. I think you can run it on a (very) recent version of the XAMPP development environment on Windows. But you could also create a VM with Linux and the test envelopment requirements.

I know for sure that the Ubuntu Server LTS iso installer has an option that says if you want to create a LAMPP (Linux Apache MySQL, PHP Perl) setup. For the rest you can use the default settings provided by the installer, those are very usable from the get-go. Skip any of the GUIs and you have a 4 GByte VM that works excellent for web development. If you plan to test a lot at once, better reserve 8 GByte of space for this VM. Assigning 1GByte of RAM to this VM is more than enough for simple development. It is slightly more work than installing XAMPP, but works well. And you bare coding against Linux, which is the most likely OS your host is using, so you won't have to do as much troubleshooting your code base.

There are other open source file sharing projects you could take a look at, in case NextCloud isn't your thing. Google is your friend.

-Shades (April 29, 2019, 11:02 PM)

Thanks.
Yes. I use Windows and Xampp.
But I got Vps using CentOS 7.
Have you seen those File Upload Hosts ? There were some even few yrs back that paid you for every downloads. I am now thinking, maybe I use their File Upload feature so when my members login to their member accounts on my website, they do not see any File Upload Page on my own website but I forward them to the Page of the File Hosts. There they can upload their video files. I can then link to those uploaded videos from my website so members can see the links where their uploaded files are uploaded and hosted. This way, I do not have to write my own File Upload Script and do not have to worry about any member uploading malicious files. I'm sure the File Host will have appropriate measures in place to deter malicious file uploads. What do you say ?

Thanks for pointing out NextCloud! Checking them out now!

A very big CHEEEERS!

[Shades]

Yeah, your idea sound similar to the concept torrent websites hide behind. They only link to torrent files, not the actual content these torrents refer to. That failed in several courts already, although technically they are correct. Then there is the thing: "letter of the law, spirit of the law". There is where things start to fail. Be ready to receive and process 'cease-and-desist' notices as fast as you can. That might give you enough breathing room to put significant legal defenses in place, you know, for when (not if) sh.t hits the fan.

By all means, go ahead with your plans, but gain sufficient knowledge about legal implications of your ideas too. More than likely it is not as cut and dry as you currently think it is.

There can also be issues with users having to login to your site and then having to login to another site. Make sure you add sufficient value to this scheme, because for the user you and your site become a middle man and anyone tries to cut those out whenever they can.

Creating a VM with CentOS 7 won't be difficult either. It will result in you having to troubleshoot much less code (differences between Windows and Linux based servers are real, even if the version numbers of the tools/frameworks you use on these servers are the same).