Menu
I have a site on which users can upload files to a subdirectory. I'm filtering the uploads check for potentially malicious code. I'm new to the security side of things, so does this look like a best-practice for securing uploads to the server? If not or if I'm missing anything, could you point me in the right direction?
//arrays with acceptable file extensions/types -- default validations set to false
$acceptable_ext = array('jpg', 'JPG', 'jpeg', 'JPEG', 'gif', 'GIF', 'png', 'PNG');
$acceptable_type = array('image/jpeg', 'image/gif', 'image/png');
$validated_ext = 0;
$validated_type = 0;
//validate file extension and type
if($_FILES && $_FILES['file']['name']) {
$file_info = pathinfo($_FILES['file']['name']);
//validate extension
for ($x=0; $x < count($acceptable_ext); $x++) {
if($file_info['extension'] == $acceptable_ext[$x]) {
$validated_ext = 1;
}
}
//validate type
for ($x=0; $x < count($acceptable_type); $x++) {
if($file_info['type'] == $acceptable_type[$x]) {
$validated_type = 1;
}
}
}
if($validated_ext && $validated_type) {
//upload file to the server blah blah
}
614
You can check out some security configurations here.
Checking MIME types, ini config, .htaccess etc will give you extra security or extra validation as per the link.
141
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
