Spread The Knowledge

6 Security Tips For PHP File Upload

Mahesh Dhaka CEO at WEBHOBS

Many of the websites are using the functionality of PHP file upload but at the same time, it's also the favorite way of hackers to crack down the security of websites. We need to put few of the important checkpoints at file upload to make it secure. These are as follow:-

1. Check For File Extension

Let's suppose, you needs to upload the images through file upload with the following extensions: .jpg, .jpeg, .png and .gif then we can put a filer to check the valid file extensions.

 $whitelist = array(".jpg",".jpeg",".gif",".png"); 
 if (!(in_array($file_ext, $whitelist))) {
    die('Not allowed to upload the particular file extension');

Still, hackers can crack this out easily by using the file extensions like: shell.php;.jpg or shell.php.jpg So, let's make it more secure by renaming the files:-

2. Rename The Files

We can rename the uploading files by using any specific pattern or randomly. Social media websites like Facebook and LinkedIn rename the Profile Picture and Cover Photo for this reason only.

$temp = explode(".", $_FILES["file"]["name"]);
$newfilename = round(microtime(true)) . '.' . end($temp);
move_uploaded_file($_FILES["file"]["tmp_name"], "../img/imageDirectory/" . $newfilename);

but, don't think that the file upload is fully secure now. Hackers can easily insert the PHP code inside the image file:-

//Hackers can put the PHP code inside the image file by using image code editor
exiftool -documentname='<?php echo "foobarbaz"; ?>'

Now, to prevent that we must have to reprocess the image for quality checks:-

3. Reprocess the image using Imagemagick API:-

It's a native PHP extension of Imagemagick to reprocess the images. It can read, convert and write the image in variety of formats. By using the processed images the malicious PHP code will be removed automatically.

4. Don't upload at parent domain

It's a good practice to upload the images at subdomain or another domain. Sometimes, the hackers uploads Javascript code that sends the cookies to the server but by uploading the images at sub domain, cookies are not going to be accessible.

5. Check File Size

The practice of uploading heavy images at server will degrade the performance of server. We can put the filter at the size of image.

if(file && file.size < 10485760) { // 10 MB (this size is in bytes)
        //Submit form        
    } else {
        //Prevent default and display error

6. Check For MIME Types

MIME type stand for Multipurpose Internet Mail Extensions. It can help us to identify the nature and format of file.

function get_mime_type($file) {
 $mtype = false;
 if (function_exists('finfo_open')) {
 $finfo = finfo_open(FILEINFO_MIME_TYPE);
 $mtype = finfo_file($finfo, $file);
 } elseif (function_exists('mime_content_type')) {
 $mtype = mime_content_type($file);
 return $mtype;

The above-mentioned tips will help you to make a secure file upload in PHP. Still, we should always be get updated with new security threads and their preventions.

Ask The Queries or Share Your Views.

8 Reasons why PHP is best programming language for the web development

The Smackdown b/w Node JS V/S PHP

6 Benefits Of Using PHP 7

How To Send Email Using PHP

Difference b/w PDO and MySQLi

How To Secure Cookies In PHP

8 Security Tips For PHP Developers

6 Security Tips For PHP File Upload

5 Common Attacks At PHP Website

5 Tips to Speed Up Your Website