I can also recommend the following:
is_uploaded_file Returns TRUE if a file named filename is uploaded via HTTP POST. This is useful to ensure that the attacker does not try to trick the script into working with files that it should not work on, for example, / etc / passwd. This type of check is especially important if there is a chance that something done with the downloaded files may show their contents to the user or even to other users on the same system.
basename() to get only the file name, for example basename(c:/fakepath/something.avi); // will return something.avi basename(c:/fakepath/something.avi); // will return something.avi , as some people try to trick the computer by specifying file names similar to directories.
More about basename() :
When you upload a file, you want to move the file to the directory you want, for example, to the /uploads/ folder, but a malicious user can name the file, such as something/hello.jpg , and then when you move the file with move_uploaded_file($source,$destionation) your $destination will be /uploads/something/hello.jpg and this will cause problems. To make sure that you only have the correct file name, you need to use the basename() function, which returns hello.jpg , etc.
$file_name = basename($_FILES["upload_ctrl"]["name"]); if(!move_uploaded_file($_FILES["upload_ctrl"]["tmp_name"],"uploads/".$file_name)) echo "Opps I cannot upload the file";
To use basename visit here: http://php.net/manual/en/function.basename.php
Tarik source share