What are some best practices for handling file uploads securely in PHP?

When handling file uploads securely in PHP, it is important to validate the file type and size, store the uploaded files outside the web root directory, generate unique file names, and use server-side validation to prevent malicious uploads. 

// Validate file type and size
$allowedTypes = ['image/jpeg', 'image/png'];
$maxSize = 1048576; // 1MB

if (!in_array($_FILES['file']['type'], $allowedTypes) || $_FILES['file']['size'] > $maxSize) {
    die('Invalid file type or size.');
}

// Store uploaded files outside web root directory
$uploadDir = '/var/www/uploads/';
$uploadFile = $uploadDir . basename($_FILES['file']['name']);

// Generate unique file name
$uniqueFileName = uniqid() . '_' . $_FILES['file']['name'];

// Move uploaded file to secure directory
if (move_uploaded_file($_FILES['file']['tmp_name'], $uploadDir . $uniqueFileName)) {
    echo 'File is valid, and was successfully uploaded.';
} else {
    echo 'Upload failed.';
}

Keywords

file uploads security PHP validation encryption

Related Questions