I used these PHP codes to validate my files. Is it enough or is there more I can do? $tmp = explode ( '.', $_FILES['imgfilename']['name']); $fileext = $tmp[count($tmp)-1]; $fileext = strtolower($fileext); $allowedexts = array("gif"); if (in_array($fileext, $allowedexts)) { } Code (markup): $_FILES['imgfilename']['size'] is_writable('../fileloc)) move_uploaded_file($_FILES['filename']['tmp_name'], $uploadfileloc); Code (markup): And if my folders permissions are set to writable, then any application can write to it. How do I work around that so only my PHP scripts can write to my folders? Thanks. ~imozeb
Use pathinfo() with the PATHINFO_EXTENSION option, as its more reliable to retrieve the extension. $fileext = pathinfo($_FILES['imgfilename']['name'], PATHINFO_EXTENSION); $fileext = strtolower($fileext); $allowedexts = array("gif"); if (in_array($fileext, $allowedexts)) { } PHP:
Thanks for the reply danx10. Is there anything else I should do or is that about the best I can do with uploading files? And... is there a way to make it so that only my PHP scripts can have the permission to write data to my folders because I was thinking and since I set the folders permissions to write, anyone even people that do not have files in my sites directories can write junk to my folders!
Can I change it so it only accepts specific file names? And is there any other way I can make it so only my scripts can access to write files?
To avoid going through this loop, I would suggest that you rename the file to a non-executable file, e.g.: xlkj324. Store that name along with the actual name in the database. When the user downloads the file, you will then re-attach the original name via headers. This will enable you to store any type of files (even exe, bin, pl, php, etc..) without having to worry about those files attacking your server.