Sufficiently safe this method of uploading files?

Question

Sufficiently safe this method of uploading files?

Good day!
Enough of this safe way to upload images to the server?
upload.php

<?php
$AllowFileExtension = array(
'jpg',
'png',
'jpeg'
);
$FileExtension = pathinfo(strtolower($_FILES['file']['name'][0]), PATHINFO_EXTENSION);
if (!in_array($FileExtension, $AllowFileExtension)) {
 die('Allowed file formats: jpg, jpeg, png.');
}
$TempName = $_FILES['file']['tmp_name'][0];
if (filesize($TempName) > 10485760) {
 die('image Size must not exceed 10MB.');
}
$imageinfo = also, ($TempName);
if ($imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/png') {
 die('Allowed file formats: jpg, jpeg, png.');
}
$NewFileName = (md5(uniqid() . strtolower($_FILES['file']['name'][0]))) . '.' . $FileExtension;
$UploadDir = "/img/";
$NewFilePatch = $UploadDir . $NewFileName;
if (!is_writable($UploadDir)) {
 die('Directory is not writable.');
}
$CopyFile = copy($TempName, $NewFilePatch);
if (!$CopyFile) {
 die('failed to save the file.');
}
?>

In the folder img is .htaccess with the following contents

<FilesMatch "\.(php|cgi|pl|php3|php4|php5|php6|phps|phtml|shtml|py)$">
Order allow,deny
Deny from all
</FilesMatch>

PHP

mellie_Mayer25 asked April 19th 20 at 12:48

Related questions

More answers about "Sufficiently safe this method of uploading files?"

2 answers

araceli63 answered on · Answer 1 · 2020-04-19T10:50:58.288Z

Check the extension of file you need by its MIME type. Using pathinfo check can be removed - it is unnecessary.
To move the file from tmp you need using move_uploaded_file () rather than using copy().

Bonuses:
1. Use camelCase - don't make variables with capital letters (looks like not).
2. Do check isset($_FILES['file']['name'][0]) first, otherwise if the file could not been loaded, returns an error (because you refer to an array element that may not exist).

Ed_Quigl answered on · Answer 2 · 2020-04-19T10:52:58.288Z

You can use the module php_file for comparison of a file type by its contents, not by extension in the name. A comparison of the extension formally, can be removed. Kill two birds with one stone and cut a little code.