Secure PHP File Upload Script

Question

I have asked this question twice i think, but this is the first time i have gotten close to this. I am planning on allowing users to upload and download their files (.pdf,

Answer 1

There is a million of file uploading scripts out there. This one is not worse than the others.

Although the "protection" from uploading files other than pngs will not work (it only checks the name of the file).

Uploading files is quite safe - it's giving others the chance of downloading them that opens your server to certain types of attacks. The article you referenced does not mention two important points:

• never serve any user provided files from the same domain as your webpage. Have a separate domain for downloads. This way even if someone manages to upload a flash animation or a piece of HTML, your domain will not suffer from cross domain attack (eg if your application has a domain of example.org, you should serve user content from, say, downloads.example.com);
• always serve uploaded files with well controlled headers.