PHP File Upload Security Ideas

When you allow users to upload files to your website, you are putting yourself at a security risk. While nobody is ever completely safe, here are some precautions you can incorporate to make your site safer.

1. Check the referrer: Check to make sure that the information being sent to your script is from your website and not an outside source. While this information can be faked, it's still a good idea to check.

2. Restrict file types: You can check the mime-type and file extension and only allow certain types to be uploaded.

3. Rename files: You can rename the files that are uploaded. In doing so, check for double-barreld extensions like yourfile.php.gif and eliminate extensions you don't allow, or remove the file completely.

4. Change permissions: Change the permissions on the upload folder so that files within it are not executable. Your FTP program probably allows you to chmod right from it.

5. Login and Moderate: Making your users login might deter some deviant behavior. You can also take the time to moderate all file uploads before allowing them to become live on the web.