Uploads
Check that information is being referred from your website. Check file extensions and allow only certain mime-types. Files should be renamed after upload. Change the permissions on the upload folder (not executable). Login and moderate users and posts.
<form enctype="multipart/form-data" method="post">
<input type="hidden" name="MAX_FILE_SIZE" value="1000000" />
File to upload: <input name="uploaded_file" type="file" />
<input type="submit" value="Upload" />
</form>
# Check that we have a file
if (!empty($_FILES['uploaded_file']) &&
$_FILES['uploaded_file']['error'] == 0) {
# Check if the file is a type permited
$filename = basename($_FILES['uploaded_file']['name']);
$pathinfo = pathinfo($filename);
$extension = $pathinfo['extension'];
if (!in_array($extension,
array('jpg', 'jpeg', 'gif', 'bmp'))) {
echo 'File type not permitted';
}
# Rename file
$filename = basename($_FILES['uploaded_file']['name']);
echo $new_filename = uniqid() . "_" . $filename;
// 502913f491ac3_Chrysanthemum
}
Last update: 176 days ago
