How to make a safe file upload script in php?

Question

i check the file for its extension, and mime type - is there anything else i can be doing to help make file uploads safer?

its for an avatar (so all the images are i

Answer 1

1. Never use user-submitted filenames at all; make up new ones like «random number».jpeg. ‘Sanitising’ filenames is harder than you think, especially if the app needs to be able to run on a Windows server.

2. For images, use the PHP getimagesize function to determine the filetype of an image, rather than looking at the highly-unreliable filename and mimetype submissions. Disallow uploads that don't parse as images.

3. For files that are intended to be downloaded, use the Content-Disposition: attachment header to stop IE sniffing for HTML content and displaying it in the browser.

4. For files that must display inline you'll have to serve them from a different hostname to your main site, otherwise HTML content inside them can cross-site-script into your security context.

Making a file upload feature secure is hard. More discussion.