Secure File Upload: Validation, Size Checks, and Vulnerability Prevention

File upload functionality is common in web applications but is also one of the most vulnerable features; attackers can exploit upload flaws to deliver malicious files, leading to server compromise, data leakage, or malware distribution.

1. Validate File Type

Attackers may rename a .txt file to .php and upload it, then execute malicious code by accessing the file directly. To prevent this, we must verify that uploaded files are of the expected types.

Below is a simple code example for validating file types:

function checkFileType($file)
{
    $allowedTypes = array('image/jpeg', 'image/png', 'image/gif');
    if (in_array($file['type'], $allowedTypes)) {
        return true;
    }
    return false;
}

if (isset($_FILES['file'])) {
    if (checkFileType($_FILES['file'])) {
        // valid file type, continue processing
    } else {
        // invalid file type, handle error
    }
}

2. Check File Size

Attackers might upload excessively large files to exhaust storage or cause crashes. We should limit the size of uploaded files and verify it.

Below is a simple code example for checking file size:

function checkFileSize($file)
{
    $maxSize = 1024 * 1024; // limit to 1MB
    if ($file['size'] <= $maxSize) {
        return true;
    }
    return false;
}

if (isset($_FILES['file'])) {
    if (checkFileSize($_FILES['file'])) {
        // valid size, continue processing
    } else {
        // invalid size, handle error
    }
}

3. Prevent File Upload Vulnerabilities

Beyond type and size validation, we need to prevent upload vulnerabilities. Attackers could upload files containing malicious code to achieve arbitrary code execution.

Store uploaded files in a non‑web‑accessible directory, use randomly generated filenames and unique paths, and set appropriate file permissions to ensure files are not executable.

Below is a simple code example implementing these measures:

function saveUploadedFile($file)
{
    $uploadDir = '/path/to/uploads/';
    $filename = uniqid() . '_' . $file['name'];
    $targetFile = $uploadDir . $filename;
    if (move_uploaded_file($file['tmp_name'], $targetFile)) {
        // file saved successfully, continue processing
    } else {
        // file save failed, handle error
    }
}

if (isset($_FILES['file'])) {
    if (checkFileType($_FILES['file']) && checkFileSize($_FILES['file'])) {
        saveUploadedFile($_FILES['file']);
    } else {
        // invalid type or size, handle error
    }
}

Conclusion

By rigorously filtering and inspecting uploaded files—validating type, size, and preventing upload vulnerabilities—we can effectively protect web applications. Maintaining updated code and security awareness further ensures ongoing safety.