What are the best practices for validating and sanitizing user input in PHP file upload forms?

When dealing with file uploads in PHP forms, it is crucial to validate and sanitize user input to prevent security vulnerabilities such as file injection attacks. To ensure the uploaded file is safe, always validate the file type, size, and content before processing it. Additionally, sanitize the file name to remove any special characters or potentially harmful code.

// Validate and sanitize file upload input
if(isset($_FILES[&#039;file&#039;])){
    $file = $_FILES[&#039;file&#039;];

    // Validate file type
    $allowed_types = array(&#039;jpg&#039;, &#039;jpeg&#039;, &#039;png&#039;, &#039;gif&#039;);
    $file_ext = pathinfo($file[&#039;name&#039;], PATHINFO_EXTENSION);
    if(!in_array($file_ext, $allowed_types)){
        die(&#039;Invalid file type. Allowed types: jpg, jpeg, png, gif&#039;);
    }

    // Validate file size
    if($file[&#039;size&#039;] &gt; 1048576){ // 1MB
        die(&#039;File size is too large. Maximum size allowed is 1MB&#039;);
    }

    // Sanitize file name
    $file_name = preg_replace(&quot;/[^A-Za-z0-9.]/&quot;, &#039;&#039;, $file[&#039;name&#039;]);

    // Move uploaded file to desired directory
    move_uploaded_file($file[&#039;tmp_name&#039;], &#039;uploads/&#039; . $file_name);
}

Keywords

filter_var move_uploaded_file $_FILES filter_input htmlspecialchars

What are the best practices for validating and sanitizing user input in PHP file upload forms?

Keywords

Related Questions