I have a folder that users uploadings are gone into. A person can upload a php file and not get caught if he changes the extension so How can I prevent php to execute anything in the directory (recursively).

Allowing PHP only execute files whose extension is .php will also solve my problem

I would be grateful if you can help.

I have read a thread about that but the solution is not valid for my case.

8 Years
Discussion Span
Last Post by cosai

So u want to disable the .php from uploading??
this is basic script that upload files and as u c u can choose the file type and all options:

The script Contains 2 files:
I) index.php (The uploader Form)
II) uploader_script.php (The uploader script which u edit the file types from)
I) index.php

<form action="gallery_uploader_script.php" method="post"
<label for="file">Upload New Image:</label>
<input type="file" name="file" id="file" /> 
<br />
<input type="submit" name="submit" value="Submit" />

II) uploader_script.php

if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "image/pjpeg"))
&& ($_FILES["file"]["size"] < 200000000))
  if ($_FILES["file"]["error"] > 0)
    echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
    echo "Upload: " . $_FILES["file"]["name"] . "<br />";
    echo "Type: " . $_FILES["file"]["type"] . "<br />";
    echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
    echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";

    if (file_exists("gallery/" . $_FILES["file"]["name"]))
      echo $_FILES["file"]["name"] . " already exists. ";
      "gallery/" . $_FILES["file"]["name"]);
      echo "Stored in: " . "gallery/" . $_FILES["file"]["name"];
  echo "Invalid file";

Hope i helped

Edited by DarkBerzerk™: n/a


There are other way to disable the .php file to be in the folder:
Create file its name .htaccess and put this line in it:

# Sample '.htaccess' file for 'pub' subdirectory 

# Allow all access 
Allow from all 

# Deny people from looking at the index and running SSI and CGI 
Options None 

# We need to protect the entire pub directory tree against any 
# kind of script execution. 

# If you have PHP4 or PHP5 installed make sure the directive 
# below is enabled. If you do not have PHP installed you will 
# need to comment out the directory below to avoid errors: 
php_flag engine off 

# If you have PHP3 installed make sure the directive below is 
# enabled: 
#php3_engine off 

# This line will redefine the mime type for the most common 
# types of scripts. It will also deliver HTML files as if they 
# are text files: 
AddType text/plain .html .htm .shtml .php .php3 .phtml .phtm .pl .py .cgi

then upload this file to folder


Thank you for your reply DarkBerzerk;)

The problem is not prohibiting .php upload to folder.
The hacker tries to upload file.php.jpg or even file.jpg (consisting of php code). He then manages to execute the code.

Please advice something other than chmod 755 as that causes problem in my content manager in my site.

Can I use $_FILES["file"]["type"] for checking video or doc,xls or pdf types?

If all of them fails the last solution can be:
Is there an option in php.ini or somewhere where I can set php interpreter only execute files whose extension is php. So that I can set it and make my uploads folder not be executed by php.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.