Trongate PHP Framework Docs
Introduction
Basic Concepts
Understanding Routing
Intercepting Requests
Module Fundamentals
Database Operations
Templates
Helpers
Form Handling
Form Validation
Working With Files
Image Manipulation
Working With Dates & Times
Language Control
Authorization & Authentication
Tips And Best Practices

Regarding File Security

File uploads are one of the most common attack vectors in web applications. A single malicious file can compromise your entire server. While Trongate provides strong automatic protections, understanding both what is handled for you and what requires your attention is essential for building secure applications.

What Trongate Handles Automatically

1. Path Validation

Every file operation (read, write, delete, etc.) inside the File module triggers a validation check to block directory traversal attempts and unauthorized access to system-critical areas.

Protected areas: The config and engine directories are completely off-limits. Files directly under your application root (such as .htaccess) are also protected from manipulation via the File class.

2. File Content Scanning

During the method call, Trongate scans the first 256 bytes of the file's content for dangerous PHP or system patterns before it is moved to its final destination.

3. MIME Type Verification

Trongate validates that files are what they claim to be. If a file has a .jpg extension but contains PHP binary signatures, the upload will be rejected immediately with a "MIME type mismatch" error.

What You Must Handle

1. File Size Limits

Always set explicit size limits in your validation rules to prevent Denial of Service (DoS) attacks via disk exhaustion.

2. File Renaming

Never trust original filenames. Using random names prevents attackers from guessing file locations or overwriting existing system files.

3. Directory Permissions

Always use the most restrictive permissions possible. While 0755 is standard for web-accessible folders, internal storage should be more restricted.

NEVER use 0777 permissions on production servers. This allows any user on the system to write to or execute files in your directories.

Secure Upload Patterns

Pattern: Isolated User Workspaces

The most secure way to handle user files is to isolate them by ID and use random naming.

Quick Security Checklist

  • Validation: Are max_size and allowed_types set?
  • Names: Is make_rand_name set to true for user uploads?
  • Permissions: Are you using 0755 or 0700 (and never 0777)?
  • Storage: Are sensitive files stored outside of the public-facing directory?
  • Sanitization: Are you using Trongate's function when rendering filenames in views?