I have an uploader in my website and when I use this code to check file type
if($_FILES['fileToUpload']['type']=='image/jpeg' || $_FILES['fileToUpload']['type']=='image/gif' || $_FILES['fileToUpload']['type']=='image/png' )
{
$file_Name = time().".".end(explode(".",$_FILES['fileToUpload']["name"]));
$_FILES["fileToUpload"]["name"] = $file_Name;
move_uploaded_file(@$_FILES["fileToUpload"]["tmp_name"], "upload/" . @$_FILES["fileToUpload"]["name"]);
$msg .='Your file was uploaded successfully';
}
but some hacker they can hacked and upload php file , is there any way more security
Note: when I create php file and I change its extinction to .jpg then I upload the file it will be uploaded
Yes, it's utterly vulnerable. In $_FILES, the following parameters are under USER control:
['type']
['name']
it is beyond trivial to forge an upload, allowing such things as:
['type'] = 'image/jpeg';
['name'] = 'nasty_hacking_script.php';
and boom, they're through your (laughable) security. Since you're allowing the user-defined file extension to get through your system, and only doing a trivial time-based renaming, you'll end up with something like
1234567890.php
in your site's document root. Given the name is time-based, it's also trivial for the attacker to simply poke at your server and guess what the exact time-of-upload was, e.g.
for($i = 1234567800; $i <= 124000000; $i++) {
see_if_url_exists("$i.php");
}
until they find their script. Now they have TOTAL control of your site, and most likely the server as well.
In short, your code provides about as much security as a piece of wet toilet paper. It is BEYOND dangerous.