Check that information is being referred from your website. Check file extensions and allow only certain mime-types. Files should be renamed after upload. Change the permissions on the upload folder (not executable). Login and moderate users and posts.
<form enctype="multipart/form-data" method="post">
    <input type="hidden" name="MAX_FILE_SIZE" value="1000000" />
    File to upload: <input name="uploaded_file" type="file" />
    <input type="submit" value="Upload" />
# Check that we have a file
if (!empty($_FILES['uploaded_file']) && 
    $_FILES['uploaded_file']['error'] == 0) {

    # Check if the file is a type permited
    $filename = basename($_FILES['uploaded_file']['name']);
    $pathinfo = pathinfo($filename);
    $extension = $pathinfo['extension'];
    if (!in_array($extension, 
            array('jpg', 'jpeg', 'gif', 'bmp'))) {
        echo 'File type not permitted';

    # Rename file
    $filename = basename($_FILES['uploaded_file']['name']);
    echo $new_filename = uniqid() . "_" . $filename;
        // 502913f491ac3_Chrysanthemum

  Last update: 270 days ago