When uploading files, validate the file mime type

If you are expecting images, make sure the file you are receiving is an image or it might be a PHP script that can run on your server and does whatever damage you can imagine.

One quick way is to check the file extension:

$valid_extensions = array('jpg', 'gif', 'png'); // Input valid image extensions here

$file_name = basename($_FILES['userfile']['name']); // Get only filename
$arr_file_name = explode('.', $file_name); // Split filename using dot
$ext = $arr_file_name[ count($arr_file_name) - 1 ]; // Get extension from filename

if( !in_array($ext, $valid_extensions) ) { // Checking file extension from valid extensions array
/* This file is invalid */
}

Note that validating extension is a very simple way, and not the best way, to validate file uploads but it’s effective;
simply because unless you have set your server to interpret .jpg files as PHP scripts then you are fine.


Read previous post:
Pre-increment where possible

Take advantage of the fact that PHP allows you to post-increment ($i++) and pre-increment (++$i). The meaning is the same...

Close