Filter filename on fileupload and prevent execution of uploaded files
Its a good way to allways rename uploaded files using something like a MD5-hash and store the original filename in a database.
If for some reason you dont want to rename it using a hash, you should filter the filename using some code like this one:
$filename = strip_tags($_FILES["upload"]["name"]);
$filename = str_replace(array('|','<','>','"','\'',':','\','/','*','?'),'',$filename);
It's a good idea to deny the execution of all uploaded files: place a .htaccess file in your upload-directory:
RemoveHan… Read more