How to Secure Uploaded File Over Server Using PHP

PHP (Hypertext Preprocessor) is a general-purpose scripting language and widely-used for web development. It was originally created by Rasmus Lerdorf in 1993 and released in 1995. A PHP server also called a PHP application server that provides you a platform where all PHP applications run.

Uploading a file (such as an image, zip, or PDF) is quite common in website development, and PHP makes the process very simple with the move_uploaded_file method. But hackers are always on the lookout for easy prey, such as .exe, PHP, and scripting files.

Although this does not guarantee that after this your code and server will be fully protected from hackers. but something is better than nothing.

Below are some tricks that you can use while writing code for file uploading –

Step 1:- Set File permission:

Before placing the file on the server, you may add non-executable permission to it. The server will be safe from executable and scripting files using this approach. You can use PHP’s chmod() function to change file permissions.

if(move_uploaded_file($_FILES[“uploadedfile”][“tmp_name”], $target_path)) {

         chmod($target_path, 0755);

     }else{

         echo “There was an error uploading the file, please try again!”;

     }

Step 2:- Use getimagesize method:

A very common trick used by hackers is changing the content type of a file to a valid one. To ensure that the uploaded file is a valid one or an image file, you can use the getimagesize() method.

$imageinfo = getimagesize($_FILES[“uploadfile”][“tmp_name”]);

     if($imageinfo[“mime”] != “image/gif” && $imageinfo[“mime”] != “image/jpeg” && isset($imageinfo))

     {

         // invalid file

     }

Step 3:- Create an upload folder outside of root:

The best way to avoid users from requesting uploaded files straight away is to keep the file in a folder outside the root. However, the major disadvantage with this method is that after this server will be unable to access the file.

Step 4:- Use .htaccess file:

You can set permission and prevent hackers to access files by making changes in the .htaccess file, If somehow hackers upload a file this will prevent executing a file.

Step 5:- The Include Function:

Sometimes you need to obtain input from the user in order to determine which file should be included in the PHP server script. For example, suppose your site is called Site_languageuage.

if(isset($_COOKIE[‘Site_language’])){      

     $Site_language = $_COOKIE[‘Site_language’];

} elseif (isset($_GET[‘Site_language’])) {

     $Site_language = $_GET[‘Site_language’];

} elseif (isset($_GET[‘Site_language’])) {

     $Site_language = $_GET[‘Site_language’];

} else {

     $Site_language = ‘english’;

}

$siteLanguagePath = “Language/”.$Site_language;

include($siteLanguagePath);

Now there is no security for the input of site_language, An hacker can take benefit of this and enter the path of the file that he wants to execute.

As a result, to guarantee that hackers do not upload any harmful files to the system, you must secure your input/upload feature.

Step 6:- Rename file with an auto-generated name:

While uploading to the server, it is a good idea to change the file’s name. Hackers would find it difficult to figure out the name of the file and then hack or download it from the server.

It’s possible to encrypt and decrypt files using a variety of methods, including md5, for example. Alternatively, you might use self-encryption to encrypt and decrypt file names.

Step 7:- Restrict upload file size by html or PHP code:

You may secure your system by restricting or limiting the file size that can be uploaded. It will prevent users from uploading a huge file that would exceed the limit and cause problems to your system.

You can make these changes by using html as well as PHP script

Html:

<input type=’hidden’ name=’MAX_FILE_SIZE’ value=’100000′ />

PHP:

$max_file_size = 100000000;  

if(!$file_size || $file_size > $max_file_size) {

     echo “File size is more than maximum size limit”;

}

Step 8:- Verify session authentication:

After successful authentication, you may also check session authentication and enable file upload functionality.

or

You can also add a captcha to provide security against automated scripts. There are still several techniques available to us to safeguard your server from hackers and prevent them from uploading harmful material –

• Check the mime type
• Use an anti-virus
• Took a combined protection
• Use a different subdomain for uploading purpose

Each day new techniques are discovered to stop hackers from such work so keeping you update is best practice to keep your data secure.

Conclusion

In website development, uploading a file (such as an image, zip, or PDF) is quite common, and PHP makes the procedure straightforward with the move_uploaded_file method. However, hackers are always looking for easy prey such as .exe, PHP, and script files. We hope that this blog helped you in some manner. Keeping up with the latest methods to defend yourself from such jobs is essential in order to keep your data secure.

Need expert solutions for your online project? Get in touch with our team of specialists today!

FAQs

Q1. What are the basic security risks when allowing file uploads? 

If you upload a file, it poses different risks, such as executing malicious scripts (like PHP) without any proper validation, overwriting critical files, or consuming excessive server resources.

Q2. How can I secure file uploads in PHP? 

Secure file uploads in PHP by:

• Validating file types and sizes on the client and server side.
• Storing uploaded files outside the web root directory.
• Generating unique filenames to prevent overwriting and guessing.
• Restricting file permissions and using .htaccess to block direct access.

Q3. Why is validating file types important? 

Validating file types ensures that you only upload the relevant file formats. It reduces the risk of executing malicious scripts disguised as innocent file types (e.g., PHP files posing as images).

Q4. Where should I store uploaded files on the server? 

Store uploaded files in a directory outside the web root. This prevents direct access through a URL and reduces the risk of executing uploaded scripts.

Q5. Do you offer PHP development services?

With 15+ years of experience, we offer the best and highest-quality PHP development services, including

• Custom web application development
• E-commerce solutions
• API development and integration
• Content management systems (CMS) development
• PHP framework-based development (such as Laravel, Symfony, and CodeIgniter)
• PHP maintenance and support