I have created a page that allows users to upload videos and I would like to try and make it more secure.
Currently the page is password protected. The password is stored in the php page as a sha1 hash. Therefore when the user enters a password and clicks submit, it compares a hashed version of what they entered with the hashed version hard coded in the php page.
If the passwords match, they are then presented with the form to upload a video.
I have no checks on the file type as the client wants it to accept every video file format and checking for extensions was not that feasible as I imagine there is a large number of possible extensions. So currently any file type is allowed. I don’t feel too comfortable about this.
The files are uploaded to a folder in the root called “media” which is currently set to chmod 777 - I am sure it doesn’t need to have this much access rights but wanted to at least be sure it works for testing. Would appreciate advice on what chmod setting I should use for this “media” folder.
There is no need to display the videos online in any form. I have created a password protected admin area (just using the shared hosting control panel to set up the password protected directory). The admin area enables the admin to view a list of all videos uploaded and provides a link to each to download a zipped copy of the video. So the admin does not requiire the ability to view the videos online.
So I wondered if there is a way to secure the “media” folder to prevent anyone else viewing or downloading the video files?
Any advice much appreciated.