ASPit - Totally ASP JSit - Totally JavaScript
Search PHPit

Use this textbox to search for articles on PHPit. Seperate keywords with a space.


Creating a SECURE file manager with PHP

(Page 3 out of 3)

Other various changes

The index file which shows a list of all the uploaded files, using the dir class, needs a small fix as well, because all the files have a .php extension. All we need to do is strip away the .php extension, which takes very little code:

$arr['name'] = substr($file, 0, strrpos($file, '.'));

Another thing I added to the new secure file manager is the following code, which disables the 'Magic Quotes' problem, whereby slashes were being added to any files that were being edited.

if (get_magic_quotes_gpc()) {
    function stripslashes_deep($value)
        $value = is_array($value) ?
                    array_map('stripslashes_deep', $value) :

        return $value;

    $_POST = array_map('stripslashes_deep', $_POST);
    $_GET = array_map('stripslashes_deep', $_GET);
    $_COOKIE = array_map('stripslashes_deep', $_COOKIE);

The above code first checks if magic quotes is enabled, and if it is, it removes all slashes from the POST, GET and COOKIE variables.

Another way to add an extra layer of security is to place a .htaccess file in your upload directory, with the following contents:

AuthName "Private Upload Directory"
AuthType Basic
AuthUserFile /non/existing/path/.htpasswd
Require valid-user

This will password protect the upload directory, except there is no password file, so no-one will be able to access it. It's just an extra layer of protection on top of our other measures.


In this follow-up tutorial I've shown you how to create a file manager that's 100% secure, and in no way "hack-able". Just to remind you, the following ways can be used to protect your upload directory (ranging from highest level of safety to lowest):

1. Put your upload directory in a non-public place, like above your webroot
2. Use a .htaccess file to password protect the upload directory, making it impossible to be read by anyone.
3. Use the PHP security measure we created in this tutorial. One disadvantage is that it will make your files up to 33% bigger (due to the base64 encoding).

If you use any of the above measures, or even several together, your file manager is guaranteed to be secure!

If you want to download the complete SECURE file manager, click here to download the source and click here to view a live demo, although it's exactly the same as the demo of the previous tutorial. If you're interested in testing the security measures, the upload directory of the demo is located at

If you have any comments or questions on this tutorial, feel free to drop them below or join us at PHPit Forums.

« Previous: Uploading & Downloading

5 Responses to “Creating a SECURE file manager with PHP”

  1. Rafe Says:

    Sexy, just getting started with the whole web development thing, very excitng. i enjoyed this tutorial.

  2. Rafe Says:

    Just wondering if i might get a response on this question. I get a security error when i try to do anyhting with the files, be it edit, or delete, or download. ID this due to folder restrictions, i have the permissions at 777. or should i try locating the uploads folder above my web directory as you stated in this tutorial?

  3. Ed Says:

    What if instead of downloading the file, I want to use the file as an image source? For example: img src=’uploaded_file.php’ ?

  4. Parikshit Says:

    thanks very much i got a way for security purpose in files .
    but can you tell me how we can upload mpeg files

  5. Barry Says:

    For PHP 4.3 and higher, you can use file_get_contents() to get the file contents as a string instead of having to use implode() with file().

Leave a Reply

About the author
Dennis Pallett is the main contributor to PHPit. He owns several websites, including ASPit and Chill2Music. He is currently still studying.
Article Index
  1. Thinking of a solution
  2. Uploading & Downloading
  3. Conclusion
Bookmark Article
Download Article
Download this article as a PDF file