What best practices should be followed when handling file uploads and database inserts in PHP to ensure data integrity and security?

When handling file uploads and database inserts in PHP, it is important to validate and sanitize user input to prevent SQL injection and other security vulnerabilities. Additionally, file uploads should be checked for file type and size to prevent malicious uploads. Using prepared statements for database inserts can help prevent SQL injection attacks and ensure data integrity.

// Validate and sanitize file upload
$allowedFileTypes = [&#039;jpg&#039;, &#039;jpeg&#039;, &#039;png&#039;];
$maxFileSize = 5 * 1024 * 1024; // 5MB

if ($_FILES[&#039;file&#039;][&#039;error&#039;] === UPLOAD_ERR_OK) {
    $fileExtension = pathinfo($_FILES[&#039;file&#039;][&#039;name&#039;], PATHINFO_EXTENSION);
    
    if (!in_array($fileExtension, $allowedFileTypes)) {
        die(&#039;Invalid file type.&#039;);
    }
    
    if ($_FILES[&#039;file&#039;][&#039;size&#039;] &gt; $maxFileSize) {
        die(&#039;File size exceeds limit.&#039;);
    }
    
    // Process file upload
    move_uploaded_file($_FILES[&#039;file&#039;][&#039;tmp_name&#039;], &#039;uploads/&#039; . $_FILES[&#039;file&#039;][&#039;name&#039;]);
}

// Use prepared statements for database inserts
$stmt = $pdo-&gt;prepare(&quot;INSERT INTO table_name (column1, column2) VALUES (:value1, :value2)&quot;);
$stmt-&gt;bindParam(&#039;:value1&#039;, $value1);
$stmt-&gt;bindParam(&#039;:value2&#039;, $value2);

// Sanitize user input before binding parameters
$value1 = filter_var($_POST[&#039;value1&#039;], FILTER_SANITIZE_STRING);
$value2 = filter_var($_POST[&#039;value2&#039;], FILTER_SANITIZE_STRING);

$stmt-&gt;execute();

Keywords

file uploads database inserts data integrity security PHP functions

What best practices should be followed when handling file uploads and database inserts in PHP to ensure data integrity and security?

Keywords

Related Questions