Getting Started
Nature and Scope of the Problem
Understanding Filtering, Validation,
and Output Escaping
Preventing the Most
Common Forms of Attack
Protecting Against Common
Website Vulnerabilities
Protecting Against
SQL Injection Attacks
About the Author
Protecting file uploads
php.ini
settings
.
upload_tmp_dir, upload_max_filesize
.
Safety checks
.
$_FILES["field"]["error"]
is_uploaded_file()
Sanitize the filename
.
$_FILES["field"]["name"]
Use
basename()
to remove bad path info
Use
preg_replace()
to remove suspicious characters
Move to secure location
.
Build your own directory path
move_uploaded_file()
Don't forget HTML5 features!
.
accept=audio/*|image/*|video/*|MIME_type
min=NNN, max=NNN
Other safety measures
.
Anti-virus scans
Consider using a
cron job
+
o
-