Form validation is an essential part of any web application so it's good to see that on the list. You're combining two of the most risky elements of web applications here, file uploads and database interaction so you obviously need to tread carefully. I guess that's why you're asking!
My suggestion in terms of approach is firstly not to use user submitted filenames, that opens up a whole area of risk you don't need. Unless this is a required feature of your app, generate a new random filename in PHP and use move_uploaded_file to copy from the PHP assigned tmp_name to your new random filename.
Once you've performed this move you can update the database with the location of the file.
My approach would therefore be:
- Strict validation of any user supplied input based on a whitelist ([a-z][A-Z][0-9] as a suggestion).
- Avoid echoing user supplied data back to screen, if you do, output encode to HTML entities.
- Avoid using user supplied data for input to the database or filename, generate a new filename which you control.
- Handle the upload itself and, after performing some validation checks move the image to its new location as per your generated filename.
- Update the database with the new filename.
I know you weren't after code but here are a couple of little snippets from a working file upload I have, it doesn't do the database part but that would be straightforward to add.
function generate_filename() {
// could be improved upon really
$random_string = random_string(8);
$filename = $random_string . time() . ".jpg";
return $filename;
}
if ($_FILES["file_upload"]["size"] != 0) {
$file_name = generate_filename();
$file_path = "/" . $upload_directory . "/" . $file_name;
$target_file_name = SITE_ROOT . $file_path; // SITE_ROOT is a constant for the file system location. This could be /var/www/images for example.
if ($_FILES["file_upload"]["type"] == "image/jpeg") {
if (getimagesize($_FILES["file_upload"]["tmp_name"])) {
if (move_uploaded_file($_FILES["file_upload"]["tmp_name"],$target_file_name)) {
exit_status("File uploaded successfully to $file_path");
} else {
exit_status("Eek, something went wrong with your image upload");
}
} else {
exit_status("Not a valid image");
}
} else {
exit_status("Invalid file type. We only support JPEG");
}
} else {
exit_status("You didn’t specify a file to upload. Try again");
}