Ideas about PHP file upload Security

* Check the referrer
* Restrict file types
* Rename files (check double-barreld extensions like upload.php.gif and eliminate extensions you don’t allow)
* Change permissions

// PHP FILE UPLOAD
echo "Size: " . round(($_FILES["uploaded"]["size"] / 1024),2) . " Kb
“;
echo “Size: ” . round((($_FILES["uploaded"]["size"] / 1024)/1024),2) . ” MB
“;
echo “Name: ” . $_FILES["uploaded"]["name"] . “
“;
echo “Type: ” . $_FILES["uploaded"]["type"] . “
“;
echo “Referer: ” . $_SERVER['HTTP_REFERER'] . “
“;

$yourSite = “mywebsite.com”;
$yourSite2 = “www.mywebsite.com”;
$uploaded_size = $_FILES["uploaded"]["size"] / 1024;
$uploaded_type = $_FILES["uploaded"]["type"];

$domain = parse_url($_SERVER['HTTP_REFERER']);
echo “Referer Host: ” . $domain['host'] . “
“;

$target = “upload/”;
$target = $target . basename( $_FILES['uploaded']['name']) ;
$okFlag=1;

//This is our size condition
if ($uploaded_size > 400000)
{
echo “Your file is too large.
“;
$okFlag=0;
}

//This is our limit file type condition
if ($uploaded_type ==”text/php”)
{
echo “No PHP files
“;
$okFlag=0;
}

// Allow only gif image to upload
if (!($uploaded_type==”image/gif”)) {
echo “You may only upload GIF files.
“;
$okFlag=0;
}

// Check the referrer
if (!($domain['host'] == $yourSite || $domain['host'] == $yourSite2) ) {
echo “The referrer is not right.
“;
$okFlag=0;
}

//Here we check that $okFlag was not set to 0 by an error
if ($okFlag==0)
{
Echo “Sorry your file was not uploaded”;
}

//If everything is okFlag we try to upload it
else
{
if(move_uploaded_file($_FILES['uploaded']['tmp_name'], $target))
{
echo “The file “. basename( $_FILES['uploadedfile']['name']). ” has been uploaded successfully”;
}
else
{
echo “Sorry, there was a problem uploading file.”;
}
}

?>

Please choose a file: