Home/ Questions/Q 7035129
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T01:16:05+00:00

Is there any file upload security vulnerability in my code? I am using apache

  • 0

Is there any file upload security vulnerability in my code? I am using apache in my server side. File upload is enabled in php.ini file.

<?php
if ($_FILES["file"]["size"] < 100000)//maximum upload size is 100 kb
{
    if ($_FILES["file"]["error"] > 0)
    {
      echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
    }
    else
    {
    if (file_exists("upload/" . $_FILES["file"]["name"]))
    {
      echo $_FILES["file"]["name"] . " already exists. ";
    }
    else
    {
      move_uploaded_file($_FILES["file"]["tmp_name"],"upload/" . $_FILES["file"]["name"]);
$var="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
$samp=str_shuffle($var);
$pass=substr($samp,0,20);// creating a random text for file name.
$ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION);
$ext=".{$ext}";
$newfilename="upload/".$pass.$ext;
rename("upload/".$_FILES["file"]["name"],$newfilename );
    echo "Stored in: " . $newfilename;
echo "<br>extension : ".$ext;
  }
}
}
else
  echo "File size is too large..";
?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Potentially, yes.

    What would happen if someone uploaded a PHP file? Would they be able to determine the filename, file URL, and run the PHP file?

    If so, that program could use the scandir() function to get a list of all your filenames.

    To prevent this, you could store the files outside DocumentRoot path, refuse to accept .php files, or use .htaccess to turn the PHP engine off in that directory.

    • 0