Malicious File Upload Prevention in PHP Php by Rajesh Kumar Sahanee - February 10, 2020February 15, 20200 Post Views: 5,177 Hello Friends, today we’ll see malicious file upload prevention in PHP. If in our web application there is file upload feature then we should add this feature with precautions because this is a very easy way for any attacker to inject malicious code in our application. So here is the code index.php index.php PHP <?php $msg = ""; if (isset($_FILES['file']) && $_FILES['file']['error'] != 4) { $msg = "<b>Choosen: " . $_FILES['file']['name'] . "</b>"; $fileSize = $_FILES["file"]["size"]; $fileExtension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION); //$fileType = $_FILES["file"]["type"];//this can be easily modified by attacker $fileType = finfo_file(finfo_open(FILEINFO_MIME_TYPE), $_FILES['file']['tmp_name']); $allowedFileSize = 10000000 * 2; //2MB $allowedExtentions = array("pdf", "doc", "docx", "jpeg", "jpg", "png"); $allowedFileTypes = array("application/pdf", "application/msword", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "image/jpeg", "image/jpg", "image/png",); if ($fileSize > $allowedFileSize) { //checking file size $msg .= "<p>Maximum 2MB Allowed</p>"; } else if (!in_array($fileExtension, $allowedExtentions) || !in_array($fileType, $allowedFileTypes)) { //checking file extension and type $msg .= "<p>Only pdf, doc, docx, jpg and png files are allowed.</p>"; } else { if (!file_exists("uploads")) { //checking if uploads folder exists mkdir("uploads", 0777, true); } if (move_uploaded_file($_FILES['file']['tmp_name'], "uploads/" . $_FILES['file']['name'])) { //saving file $msg .= "<p>File Uploaded Successfully!</p>"; } else { $msg .= "<p>Error! While Saving File</p>"; } } } ?> <!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>Malicious File Upload Prevention</title> </head> <body bgcolor="silver"> <form method="post" enctype="multipart/form-data"> <input type="file" name="file"/> <input type="submit" value="Upload"/> </form> <?= $msg ?> </body> </html> 12345678910111213141516171819202122232425262728293031323334353637383940414243 <?php$msg = "";if (isset($_FILES['file']) && $_FILES['file']['error'] != 4) { $msg = "<b>Choosen: " . $_FILES['file']['name'] . "</b>"; $fileSize = $_FILES["file"]["size"]; $fileExtension = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION); //$fileType = $_FILES["file"]["type"];//this can be easily modified by attacker $fileType = finfo_file(finfo_open(FILEINFO_MIME_TYPE), $_FILES['file']['tmp_name']); $allowedFileSize = 10000000 * 2; //2MB $allowedExtentions = array("pdf", "doc", "docx", "jpeg", "jpg", "png"); $allowedFileTypes = array("application/pdf", "application/msword", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "image/jpeg", "image/jpg", "image/png",); if ($fileSize > $allowedFileSize) { //checking file size $msg .= "<p>Maximum 2MB Allowed</p>"; } else if (!in_array($fileExtension, $allowedExtentions) || !in_array($fileType, $allowedFileTypes)) { //checking file extension and type $msg .= "<p>Only pdf, doc, docx, jpg and png files are allowed.</p>"; } else { if (!file_exists("uploads")) { //checking if uploads folder exists mkdir("uploads", 0777, true); } if (move_uploaded_file($_FILES['file']['tmp_name'], "uploads/" . $_FILES['file']['name'])) { //saving file $msg .= "<p>File Uploaded Successfully!</p>"; } else { $msg .= "<p>Error! While Saving File</p>"; } }}?><!DOCTYPE html><html> <head> <meta charset="UTF-8"> <title>Malicious File Upload Prevention</title> </head> <body bgcolor="silver"> <form method="post" enctype="multipart/form-data"> <input type="file" name="file"/> <input type="submit" value="Upload"/> </form> <?= $msg ?> </body></html> Output Download Code Malicious File Upload Prevention in PHP 1 file(s) 423.08 KB Download Thanks for visiting Please do share if you liked
