Best practice of malicious upload prevention in php

Question

What are better practices to prevent upload of any malicious file (with extensions like php.jpeg or even code injected without specific .php) , than declaring acceptable extensions:

$allowed =  array('jpeg','png' ,'jpg','pdf');
$filename = $_FILES['any_file']['name'];
$ext = pathinfo($filename, PATHINFO_EXTENSION);
if(!in_array($ext,$allowed) ) {
    echo 'error';
}

and what is the problem with the following:

$filename = $_FILES['any_file']['name'];    
$containsDotPhp = $filename;

    if ($containsDotPhp contains '.php'){
        echo 'error';
}

Or any better solution with explanation of why it is more efficient would be appreciated.

Extensions don't make files malicious. And a `foo.php.jpg` will not be executed as a php file on the webserver if you do decide to place it somewhere that executable code is stored. — CollinD, May 11 '17 at 00:19
Possible duplicate of [Secure User Image Upload Capabilities in PHP](http://stackoverflow.com/questions/3644138/secure-user-image-upload-capabilities-in-php) — CollinD, May 11 '17 at 00:23
Thanks but what about if upload is not restricted to just images. — AliS, May 11 '17 at 00:26
Sounds like you need to update your question, then. You've specifically asked about securely handling image uploads. Regardless, i'd suggest reading the answer in that post, sections of it are relevant to any type of file. — CollinD, May 11 '17 at 00:30
"malicious files with extensions like" please read question carefully first.I did not asked specifically about images at first place but edited it for clarification. — AliS, May 11 '17 at 22:47

sg- · Accepted Answer · 2017-05-11T01:22:41.383

The problem with checking the file extensions is that the user can specify any file extension for any file, so checking it is worthless in terms of detecting malicious content.

Note however that malicious content needs a context in order to become a threat. You allude to someone uploading malicious PHP code. That's only a problem if you actually run that PHP code. You might inadvertently run it through bad programming, however if you are just storing the file on the server, as malicious as the PHP code may be, it's not going to be able to do anything. If you serve it out to your users and they use it because they trust you, that could also be a problem for different reasons.

If you want to try and verify that a file is in fact what it claims to be, you can check its mime type based on the actual content of the file like this:

$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mime = finfo_file($finfo, $_FILES['image_file']['tmp_name']);
finfo_close($finfo);
echo('Detected Mime: '.$mime);

Note that in the PHP script example however, it's just going to tell you that it's a text file, regardless of what the actual PHP script does. However, it becomes more helpful when it comes to binary files like images, video, etc.

Thank you very informative ,the scenario is for instance the attacker uploads php fileman though file uploads which was accessed into upload page via SQLMAP. — AliS, May 11 '17 at 01:32

Best practice of malicious upload prevention in php

1 Answers1