6
votes
How to securely handle user file uploads in PHP?
Asked 2 hours ago
by user22222
I need to implement a file upload feature in PHP but I'm unsure about the best way to handle security concerns. I understand the basics of using $_FILES and moving files to a target directory, but what specific methods should I use to prevent malicious uploads?
Are there built-in PHP functions for verifying file types and detecting malicious content? What are the recommended practices for ensuring uploaded files are secure and don't introduce vulnerabilities to the application?
2 Answers
12
by SecureCoders · 1 hour ago
- Validate file types using
mime_content_type()rather than relying on filename extensions - Use
move_uploaded_file()to ensure files are only moved from the temporary directory - Scan for viruses with tools like ClamAV before processing
- Store files outside the web root to prevent direct access
- Sanitize filenames to avoid directory traversal attempts
<?php
// Example secure upload handling
$allowed = ['image/jpeg', 'image/png'];
if (isset($_FILES['upload']) && in_array(mime_content_type($_FILES['upload']['tmp_name']), $allowed)) {
$filename = bin2hex(random_bytes(16)) . '.' . pathinfo($_FILES['upload']['name'], PATHINFO_EXTENSION);
move_uploaded_file($_FILES['upload']['tmp_name'], '/secure/uploads/' . $filename);
}
?>
7
by CloudSec · 40 min ago
Additional security tips:
- Limit file sizes with
upload_max_filesizein PHP.ini - Use
$_ENV['PATH_INFO']validation - Implement rate limiting
- Use
chmod()to restrict file permissions after upload