To safely handle file uploads in PHP, the core is to verify file types, rename files, and restrict permissions. 1. Use finfo_file() to check the real MIME type, and only specific types such as image/jpeg are allowed; 2. Use uniqid() to generate random file names and store them in non-Web root directory; 3. Limit file size through php.ini and HTML forms, and set directory permissions to 0755; 4. Use ClamAV to scan malware to enhance security. These steps effectively prevent security vulnerabilities and ensure that the file upload process is safe and reliable.

Handling file uploads securely in PHP isn't just about getting the file from point A to B — it's about making sure that what gets uploaded doesn't break your site or open up security holes. The core idea is simple: never trust user input, especially when it's a file.

Here's how to approach it step by step.

Check the File Type Properly

Just checking the file extension isn't enough — attackers can rename malicious files to look like images or PDFs. Instead, use mime_content_type() or finfo_file() to check the actual MIME type of the uploaded file.

For example:

 $finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['fileToUpload']['tmp_name']);
finfo_close($finfo);

Only allow specific MIME types like 'image/jpeg' , 'image/png' , etc., and avoid anything executable like .php , .exe , or .sh .

Also, don't rely solely on the client-side check — always validate on the server side.

Rename Uploaded Files and Store Them Outside Web Root

Using the original filename can be risky — someone might upload a .php file and name it something like photo.jpg.php . If your server misconfigures, that could get executed.

So:

• Generate a random filename (like using uniqid() or a hash)
• Keep a mapping between the original name and the stored name in your database
• Save files outside the public web directory (eg, /var/uploads/ instead of /public_html/uploads/ )

This way, even if someone manages to upload a dangerous file, it can't be accessed directly via a URL.

Limit File Size and Use Secure Permissions

Large file uploads can eat up your server resources or even be used in denial-of-service attacks.

Set limits both in PHP and in your HTML form:

• In php.ini :

   upload_max_filesize = 2M  
  post_max_size = 8M

• In your form:

   <input type="hidden" name="MAX_FILE_SIZE" value="2097152">

Also, make sure that the upload directory has proper permissions — usually 0755 is enough, and owned by the web server user. Never set chmod 777 unless you really know what you're doing (and even then, it's not safe).

Scan for Malware When Possible

If you're dealing with sensitive content or high-traffic platforms, consider scanning uploaded files with antivirus tools like ClamAV. It adds an extra layer of protection, especially against infected documents or images with embedded malware.

You can run this after upload but before moving the file to its final location.

 $output = shell_exec('clamscan --stdout ' . escapeshellarg($_FILES['fileToUpload']['tmp_name']));
if (strpos($output, 'Infected') !== false) {
    // Reject the file
}

It's not foolproof, but better safe than sorry.

That's the basic setup. There's more you can do depending on your app's needs — like virus scanning, watermarking images, or generating thumbnails — but these steps cover most common vulnerabilities. File uploads are tricky, but with a few solid checks, they can be handled safely.

The above is the detailed content of How can you handle file uploads securely in PHP?. For more information, please follow other related articles on the PHP Chinese website!