Secure File Name, Content, Permission, and Server Handling in PHP

File Name Handling – When the original name is not required, generate a random name and append a whitelist‑validated extension. The example code shows a whitelist array, extraction and validation of the file extension, truncation of the base name, replacement of dots, and reconstruction of the sanitized filename.

$extension_white_list = ['jpg', 'pdf'];
$origin_file_name = 'xx/xxx/10月CPI同比上涨2.1%.php.pdf';
$extension = strtolower(pathinfo($origin_file_name, PATHINFO_EXTENSION));
if (!in_array($extension, $extension_white_list)) {
    die('错误的文件类型');
}
$new_file_name = pathinfo($origin_file_name, PATHINFO_BASENAME);
$new_file_name = mb_substr($new_file_name, 0, mb_strlen($new_file_name) - 1 - mb_strlen($extension));
$new_file_name = mb_substr($new_file_name, 0, 20);
$new_file_name = str_replace('.', '_', $new_file_name);
$new_file_name = $new_file_name . '.' . $extension;
print_r($new_file_name); // 10月CPI同比上涨2_1%_php.pdf

File Content Handling – Changing a file’s extension does not remove embedded PHP code; an attacker can hide malicious code in image files. The article demonstrates using the Windows copy command to concatenate a PHP script to a JPEG, and provides a PHP routine that re‑draws an image to strip hidden code, noting its memory cost and potential distortion.

Copy 1.jpg/b + test.php/a 2.jpg

try {
    $jpg = '包含php代码的.jpg';
    list($width, $height) = getimagesize($jpg);
    $im = imagecreatetruecolor($width, $height);
    $image = imagecreatefromjpeg($jpg);
    imagecopyresampled($im, $image, 0, 0, 0, 0, $width, $height, $width, $height);
    $target = '重绘后干净的图片.jpg';
    imagejpeg($image, $target);
} finally {
    isset($im) && is_resource($im) && imagedestroy($im);
    isset($image) && is_resource($image) && imagedestroy($image);
}

File Permission Handling (Linux) – The article explains the meaning of read (r/4), write (w/2), and execute (x/1) bits for files and directories, and describes the three user classes (owner, group, others). It recommends setting uploaded directories to 0755 and uploaded files to 0644 to prevent execution of malicious files.

mkdir($save_path, 0755, true);

chmod($file, 0644);

File Server Handling – For simplicity, the author suggests using an OSS storage service to store uploaded files.

Course Announcement – At the end of the technical guide, there is a promotion for the "PHP Development Basics and Practice" online live class, including enrollment links, schedule, and contact information.