The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Back End Check Errors Before Uploading PHP Reply To: Check Errors Before Uploading PHP


Never allow uploaded files to be executed as scripts. Among other things, this means you cannot store them in a directory that is publicly accessible and also executes php scripts. Never use the submitted filename as the filename on your filesystem.

This piece of advice should be imprinted on the minds of everyone and anyone who includes any code that allows importing of files. If a script can be uploaded and executed, you may as well hand out your ftp credentials.

Irresponsible to the point of negligence.

If you don’t understand how to ensure your code is safe against this sort of attack, either pay someone who does or lose the feature.