1 (edited by eric235u 2008-03-01 21:12)

Topic: php: Validating file uploads ?

hi all.  i'm doing a rewrite of a mod and was wondering about best practices for validating a file upload.  such as
http://us2.php.net/manual/en/features.file-upload.php

$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

echo '<pre>';
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
    echo "File is valid, and was successfully uploaded.\n";
} else {
    echo "Possible file upload attack!\n";
}

in the back of my head i here 'sanitize all user input'.  is there anything i should do to name in $_FILES['userfile']['name'] as the user is the one setting this variable?

thanks for any tips.

Re: php: Validating file uploads ?

That's what basename is for. wink
I would also check for duplicates if the user is doing the file naming. And forbid .htaccess, .php files, index.htm(l), etc.

Re: php: Validating file uploads ?

thanks smartys!