Home/ Questions/Q 3303908
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-17T21:00:22+00:00

I have one public website where users have option to upload pdf file and

  • 0

I have one public website where users have option to upload pdf file and read that pdf when they need.

I use php command 

$error = copy($tmp_name, $fpath);

to save file to server….

the issue I am facing is

  1. any one can upload any type (.exe, bat) of file but I only need pdf?

  2. when try to browse pdf file, if some one change its (.exe, .bat) file extension to .pdf how to reduce risk of that script execute on server?

i am trying hard to solve this issue from last few days but no success…

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Don’t use copy(), use move_uploaded_file() to fetch uploaded files. Using copy() is subject so some serious security vulnerabilities.

    how to reduce risk of that script execute on server?

    That’s easy: Just don’t put it anywhere where it an be executed 🙂 Seriously, you can store the most evil viruses on your server – as long as they’re in a directory in which they can’t be run, you have no problem.

    The real problem is what happens when people download the file. You can use fileinfo as outlined in other answers to find out whether it’s a PDF. For anything beyond that – e.g. checking for malicious hacks inside the PDF file, of which there are some – you’d have to install a server-side virus scanner.

    Other than that, it’ll be the user’s responsibility to have a virus scanner running. There is no 100% security here. Total security might come from opening and re-saving each PDF document using a native PDF library, but I don’t know whether there are any PHP libraries that can do that well.

    • 0