What best practices should be followed when handling file uploads in PHP to avoid server security issues?

File uploads in PHP can pose security risks if not handled properly. To avoid these issues, it is important to validate file types, limit file sizes, store files outside of the web root directory, and sanitize file names to prevent directory traversal attacks.

// Validate file type
$allowedTypes = [&#039;image/jpeg&#039;, &#039;image/png&#039;, &#039;image/gif&#039;];
if (!in_array($_FILES[&#039;file&#039;][&#039;type&#039;], $allowedTypes)) {
    die(&#039;Invalid file type.&#039;);
}

// Limit file size
$maxSize = 10 * 1024 * 1024; // 10MB
if ($_FILES[&#039;file&#039;][&#039;size&#039;] &gt; $maxSize) {
    die(&#039;File is too large.&#039;);
}

// Store files outside of web root directory
$uploadDir = &#039;/var/www/uploads/&#039;;
move_uploaded_file($_FILES[&#039;file&#039;][&#039;tmp_name&#039;], $uploadDir . $_FILES[&#039;file&#039;][&#039;name&#039;]);

// Sanitize file name
$fileName = preg_replace(&quot;/[^A-Za-z0-9_.]/&quot;, &#039;&#039;, $_FILES[&#039;file&#039;][&#039;name&#039;]);
move_uploaded_file($_FILES[&#039;file&#039;][&#039;tmp_name&#039;], $uploadDir . $fileName);

Keywords

File uploads PHP security validation sanitization

What best practices should be followed when handling file uploads in PHP to avoid server security issues?

Keywords

Related Questions