Is this basic file upload check secure enough?

Question

The mimetype is also being checked, but since that can be spoofed, is this additional simple snippet adequate for checking the validity of an uploaded file?

$safe_to_move = false;

$ext = array("pdf", "doc", "docx", "xls", "xlsx");
if (in_array(preg_replace('/.*\./', '', strtolower($_FILES['file']['name'])), $ext)) {
    $safe_to_move = true;
}

if (!is_uploaded_file($_FILES['file']['tmp_name'])) {
    $safe_to_move = false;
}

Answer 1

What you've done is a solid approach but how secure it is depends more on how your server environment is set up.

This article offers some pretty good insight into what you're asking and everything i'm saying will more or less be a reference to it. http://resources.infosecinstitute.com/file-upload-vulnerabilities/

You've definitely done the right thing creating a white-list but...

The most important thing is to keep uploaded files in a location that can’t access though the Internet. This can be done either by storing uploaded files outside of the web root or configuring the web server to deny access to the uploads directory.

There's other things you can do to increase security and I totally advise you look at the solutions section of the linked article, but making sure those files are stored in a way that they can't easily be accessed "off site" makes it much harder to run them externally (obviously).

Tl;Dr What you've done is a good first step and if your server environment is set up correctly it should be enough.