On Thursday, September 19, 2013, Stuart Dallas wrote: > On 19 Sep 2013, at 14:39, Aziz Saleh <azizsa...@gmail.com <javascript:;>> > wrote: > > > The best way to handle file uploads is to: > > > > 1) Store the filename somewhere in the DB, rename the file to a random > string without extension and store the mapping in the DB as well. > > 2) When sending the file, set the header content to the filename and > output the content of the file via PHP (ex: by readfile). > > > > Aziz > > > > This way even if the file is PHP code, it will be of no issue to you. > > What you describe it highly inefficient, clunky, and unnecessary. You've > managed to get PHP and a database involved in serving a static file, for no > reason other than to avoid fixing the web server configuration. > > A misconfigured web server should be fixed, not worked around. > > -Stuart > > -- > Stuart Dallas > 3ft9 Ltd > http://3ft9.com/ > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php
You can also run a strip_tags() call on the file upload to help prevent this Bastien -- Bastien Cat, the other other white meat
