What are some best practices for handling file uploads in PHP to ensure both functionality and security?

When handling file uploads in PHP, it is important to validate the file type, size, and content to prevent malicious files from being uploaded. Additionally, it is crucial to store uploaded files in a secure directory outside of the web root to prevent direct access. Using PHP's built-in file handling functions and sanitizing user input can help ensure both functionality and security.

&lt;?php
// Check if a file was uploaded
if(isset($_FILES[&#039;file&#039;])){
    $file = $_FILES[&#039;file&#039;];

    // Validate file type
    $allowedTypes = [&#039;image/jpeg&#039;, &#039;image/png&#039;];
    if(!in_array($file[&#039;type&#039;], $allowedTypes)){
        die(&#039;Invalid file type.&#039;);
    }

    // Validate file size
    if($file[&#039;size&#039;] &gt; 1000000){
        die(&#039;File is too large.&#039;);
    }

    // Sanitize file name
    $fileName = preg_replace(&quot;/[^A-Za-z0-9.]/&quot;, &#039;&#039;, $file[&#039;name&#039;]);

    // Move uploaded file to secure directory
    $uploadDir = &#039;uploads/&#039;;
    $uploadPath = $uploadDir . $fileName;
    if(move_uploaded_file($file[&#039;tmp_name&#039;], $uploadPath)){
        echo &#039;File uploaded successfully.&#039;;
    } else {
        echo &#039;Failed to upload file.&#039;;
    }
}
?&gt;

Keywords

file uploads PHP security validation move_uploaded_file

What are some best practices for handling file uploads in PHP to ensure both functionality and security?

Keywords

Related Questions