Is it possible to block php scripts in upload folder?

I'm experiencing my first form in php where images can be uploaded.

I've seen some article 开发者_如何学运维on the web which explains it can be dangerous, so there is some way to block scripts on a specified folder? Something with .htaccess or php .ini instruction?

---

The VERY best way is to make sure that your upload directory is outside of your webroot. As long as the webserver has read/write access there you will be fine - no worries about executable uploads. This was discussed here on stackoverflow.

---

Your best bet is to verify the file's extension upon upload. If it's not jpg/png/gif/etc., dismiss it. As long as your webserver is not misconfigured to interpret any file as a PHP file, then with this approach you're out of harm's way, with minimal headache and really simple implementation.

---

Check the file being uploaded has a benign extension (.gif, .mp3, etc) - and trash anything else. For extra-sekrit protection, capture the file's original name in a database (for future reference), then encrypt the filename (and store that as well). That way anything that's uploaded can't be found by filename by the uploader.

---

It's dangerous only if you let the users upload whatever they want. Allow only what you decide is safe and you won't need to block anything.

---

i think it can be dangers if you don't check what file type was uploaded e.g. "hacker" uploads a php file that deletes all of your httpdocs stuff, or if people can upload to many or to big files.