How to handle upload of .php files without possibility of executing them?

Question

I want to allow my users to upload .php files to the server, but also want to make sure the files are harmless to my application.

Any suggestions?

Thank you.

Answer 1

Option 1: Store them with a different filename and store the original filename as part of the metadata, e.g. in a database table.

Option 2: Disable script execution on the uploads directory.

Option 3: Rename them to .phps (an accepted extension for the display of raw PHP)

Answer 2

Make the upload directory separate, write-only and not visible from the internet (this will prevent them accessing their own script after uploading).

You can then moderate new scripts and do as you see fit.

Answer 3

A couple of solutions:

• Rename them to .phps
• Disable execution of PHP in the upload directory in your webserver configuration

Answer 4

I recommend the ‘disable script execution in the uploads directory’ approach. This is the only solution that’s completely safe.

Just add this rule to the .htaccess file inside the uploads directory:

php_value engine off

Answer 5

Just don't execute them, that's enough.

Make sure that your application doesn't run or include user-uploaded files at any point (e.g. by using a GET parameter to include a file without any sanitation).

Also make sure the uploaded files are not accessible from outside with the .php extension.

In a normal, halfway properly coded workflow, uploaded .php files do not pose a security risk no matter what code they contain.