Making file uploads safe

PHP
1

I’m working on a site where users can create an account and upload .jpgs, .zips and .pdfs. Normally I don’t worry too much about malicious content getting uploaded as it’s the client that does the uploading—and they wouldn’t want to bring their own site down.

My question is: should I be worried about security? I’m checking the file extensions and the file headers (Content-type) but I don’t think that’s 100% secure. If someone ‘disguised’ a script as a file upload (.jpg for example) how hard would it be for the uploader to execute it? I guess even if they uploaded something they wouldn’t be able to execute it unless your PHP scripts were programmed to do so (e.g. include() uploaded files), which my site doesn’t.

I’m also uploading the files to a password protected folder (so they wouldn’t know its name or location) and then—when the user needs to access it—reading it in and specifying the appropriate file headers through a PHP script.

Is there any more that I can do other than the above? Should I be worried?

2

Interesting. I have something similar. In fact I think almost the same: checking content type with php functions, uploading to some folder and using a function to mask the url (loading content and displaying with other name)

I think if you want to get more picky you could check for specific things when you load the file into a variable… for example checking for the php open tag or for some javascript just in case someone is loading something hidden. Also remove execution permission for the folder / files.

I’m not sure what else can be done.

3

If the files are only for download you are good.