Some times a Hacker use a php file or shell as a image to hack your website. so if you try to use move_uploaded_file() function as in example to allow for users to upload files, you must check if this file contains a bad codes or not so we use this function. preg match
in this function we use
unlink() - http://php.net/unlink
after you upload file check a file with below function.
<?php
/**
* A simple function to check file from bad codes.
*
* @param (string) $file - file path.
* @author Yousef Ismaeil - Cliprz[at]gmail[dot]com.
*/
function is_clean_file ($file)
{
if (file_exists($file))
{
$contents = file_get_contents($file);
}
else
{
exit($file." Not exists.");
}
if (preg_match('/(base64_|eval|system|shell_|exec|php_)/i',$contents))
{
return true;
}
else if (preg_match("#&\#x([0-9a-f]+);#i", $contents))
{
return true;
}
elseif (preg_match('#&\#([0-9]+);#i', $contents))
{
return true;
}
elseif (preg_match("#([a-z]*)=([\`\'\"]*)script:#iU", $contents))
{
return true;
}
elseif (preg_match("#([a-z]*)=([\`\'\"]*)javascript:#iU", $contents))
{
return true;
}
elseif (preg_match("#([a-z]*)=([\'\"]*)vbscript:#iU", $contents))
{
return true;
}
elseif (preg_match("#(<[^>]+)style=([\`\'\"]*).*expression\([^>]*>#iU", $contents))
{
return true;
}
elseif (preg_match("#(<[^>]+)style=([\`\'\"]*).*behaviour\([^>]*>#iU", $contents))
{
return true;
}
elseif (preg_match("#</*(applet|link|style|script|iframe|frame|frameset|html|body|title|div|p|form)[^>]*>#i", $contents))
{
return true;
}
else
{
return false;
}
}
?>
Use
<?php
// If image contains a bad codes
$image = "simpleimage.png";
if (is_clean_file($image))
{
echo "Bad codes this is not image";
unlink($image);
}
else
{
echo "This is a real image.";
}
?>