How to secure uploaded file over server using PHP

Posted by ongraph · October 8, 2014 · 5 Min read

Table of contents

Uploading file (Image,Zip,PDF etc.) is very common in websites designing and PHP makes this much easy with move_uploaded_file method.

But as we know that hackers are always looks for these kind of easy fishes, Files such as .exe, .php, scripting files are the catching sticks for hackers.

A hacker can damage your site by using or uploading these kind of files.

Although this is not guaranty that after this your code and server will be fully protect from hackers. but something is better than nothing.

Below is some tricks that you can used while writing code for file uploading –



Step 1:- Set File permission :

You can add non-executable permission to file before make it uploaded over server. This will protect server from executable and scripting files.

You can use chmod() method of core PHP to set file permission.


if(move_uploaded_file($_FILES[“uploadedfile”][“tmp_name”], $target_path)) {
            chmod($target_path, 0755);
            echo “There was an error uploading the file, please try again!”;



Step 2:- Use getimagesize method :

A very common trick use by hackers is change content-type of a file to valid one.To make it ensure that uploaded file is a valid one or a image file you can use getimagesize() method.


$imageinfo = getimagesize($_FILES[“uploadfile”][“tmp_name”]);
        if($imageinfo[“mime”] != “image/gif” && $imageinfo[“mime”] != “image/jpeg” && isset($imageinfo))
            // invalid file



Step 3:- Create upload folder outside of root :


Best way to prevent user to request uploaded files directly is keep file in a folder somewhere outside the root.But the main issue with this approach is after this server will not be able to access the file.


Step 4:- Use .htaccess file :


You can set permission and prevent hackers to access files by making changes in .htaccess file, If somehow hackers upload a file this will prevent to exicute a file.


Step 5:- The Include Function :

Some time you need to take input from user to determine which file need to include in PHP script. For example in case of site Site_languageuage.


        $Site_language = $_COOKIE['Site_language'];
    } elseif (isset($_GET['Site_language'])) {
        $Site_language = $_GET['Site_language'];
    } elseif (isset($_GET['Site_language'])) {
        $Site_language = $_GET['Site_language'];
    } else {
        $Site_language = 'english';
    $siteLanguagePath = “Language/”.$Site_language;


Now there is no security for input of site_language, An hacker can take benefit of this and enter path of file that he wants to execute.

Therefore, it is important to secure your input/upload function to prevent hackers from execute any file that are harmful to machine.



Step 6:- Rename file with a auto generated name :


It is a good idea to rename your uploaded file while saving that to server. As it will be difficult for hacker to get name of file and to hack or download that from server.

You can use various type of encryption technique like md5 etc. or you can create self encryption technique to encrypt to decrypt file name.


Step 7:- Restrict upload file size by html or PHP code :


You can put a level of security by restrict or fix file size to be uploaded. It will prevent user to upload a large file having size out of range and may harm your system.

You can make these changes by using html as well as PHP script


Html :

<input type='hidden' name='MAX_FILE_SIZE' value='100000' />


$max_file_size = 100000000;  
    if(!$file_size || $file_size > $max_file_size) {
        echo “File size is more than maximum size limit”;



Step 8:- Verify session authentication :


You can also verify valid user by checking session authentication and allow file upload feature after passed authentication.


You can add a captcha as well to provide a security against automated scripts.

There are still lot's of techniques that are useful to us to prevent hackers to damage your server or upload harmful content like –


– Check the mime type

– Use an anti virus

– Use a combined protection

– Use a different sub domain for uploading purpose

Each day new technique are discovered to stop hackers for such work so keep you update is best practice to keep your data secure.

Share this Article