PHP Security Tips For Upload Files
Always restrict the file types that you allow the users to upload their files and don't rely on a blacklist approach. Eg : a reasonable blacklist policy would seem to be Don’t allow the upload of .php files. If someone uploads a file named .htaccess, blacklist won't catch it. Thus, placing the line of code below in an .htaccess file and upload it to a system only protected by a blacklist policy would solve the problem.
AddType application/x-httpd-php .php .htm
Users can now upload any files with php code in it and start poking around in your system.
You have to be careful with the file uploads and make sure you protect them with a whitelist policy instead and make sure that the files those have been uploaded are of the type that you allowed. One of the ways is by checking the file extension. But that is not the safest way to do it.
The more secure way is using FileInfo. It examins the contents of the files and try to guess the content type based specific magic byte sequence.
References
- FileInfo
- FileInfo Documentation