Hello, I’m Julian

Filter filename on fileupload and prevent execution of uploaded files

Its a good way to allways rename uploaded files using something like a MD5-hash and store the original filename in a database.
If for some reason you dont want to rename it using a hash, you should filter the filename using some code like this one:

$filename = strip_tags($_FILES["upload"]["name"]);
$filename = str_replace(array('|','<','>','"','\'',':','\','/','*','?'),'',$filename);

It's a good idea to deny the execution of all uploaded files: place a .htaccess file in your upload-directory:

RemoveHandler .cgi .shtm .shtml
RemoveType .php .php3 .php4 .php5

deny from all

order deny,allow
deny from all

Date: Tue, 23 Jun 2009 8:50:00
Author: Julian Stricker


Blog Comments powered by Disqus.