When uploading files, validate the file mime type
If you are expecting images, make sure the file you are receiving is an image or it might be a PHP script that can run on your server and does whatever damage you can imagine.
One quick way is to check the file extension:
$valid_extensions = array('jpg', 'gif', 'png'); // Input valid image extensions here $file_name = basename($_FILES['userfile']['name']); // Get only filename $arr_file_name = explode('.', $file_name); // Split filename using dot $ext = $arr_file_name[ count($arr_file_name) - 1 ]; // Get extension from filename if( !in_array($ext, $valid_extensions) ) { // Checking file extension from valid extensions array /* This file is invalid */ }
Note that validating extension is a very simple way, and not the best way, to validate file uploads but it’s effective;
simply because unless you have set your server to interpret .jpg files as PHP scripts then you are fine.