I want to know how to scan the files before uploading it to the
server in PHP applications.

I also read that is is possible just check the file mime type, is it enough...... The permitted files that can be uploaded is txt, pdf, jpg, gif, png, doc, xls, zip, rar, docx, xlsx.

Also our administrators examine all files that are uploaded and delete if there is something wrong with files. Will this keep the system secure.

Here is a link to a good source of info on file upload security - http://www.mysql-apache-php.com/fileupload-security.htm This article takes it to the max I think in terms of not allowing the customer to upload a file in a place that it can do damage if it happens to get by your checks. Checking the Type of file is not enough cause it can be faked. Personally I think that if you were to use the strpos() or explode() on the "." of the uploaded file name and verify that it is a allowed extension and then resave it as a different file name and the verified extension it would be secure at that point.

The file name is changed to random file name, I also check the extension of the file.
But when the information is approved, the attachments become accessible.

If someone managed to upload malicious file to server when the site administrator notice the file and delete it, can this cause the problem.

Not totally, did you have a look at the link I gave you? A file extension and it's content can be faked in a few different ways. You need to check the extension after the first "." in the file name to see if it's a file type you want to accept then rename the file and safe it to the extension it was if you accept it.

Example of this - A file could be a php file in disguise by doing something like this, myimage.php.jpg the browser when uploading will see it as a jpg but when run on the server it will read it as a php, so the code in the file would run as a php file.

Once it's on the server, if the person is able to figure out where the file is and it's name they will be able to use it, so if the admin didn't get to it until the next morning the damage could already be done.

try using this one...this might help





function searchdir ( $path , $maxdepth = -1 , $mode = "FULL" , $d = 0 )
{
if ( substr ( $path , strlen ( $path ) - 1 ) != '/' )
{
$path .= '/';
}
$dirlist = array () ;
if ( $mode != "FILES" ) {
$dirlist[] = $path;
}
if ( $handle = opendir ( $path ) )
{
while ( false !== ( $file = readdir ( $handle ) ) )
{
if ( $file != '.' && $file != '..' )
{
$file = $path . $file ;
if ( ! is_dir ( $file ) )
{
if ( $mode != "DIRS" )
{
$dirlist[] = $file;
}
}
elseif ( $d >=0 && ($d < $maxdepth || $maxdepth < 0) )
{
$result = searchdir ( $file . '/' , $maxdepth , $mode , $d + 1 ) ;
$dirlist = array_merge ( $dirlist , $result ) ;
}
}
}
closedir ( $handle ) ;
}
if ( $d == 0 ) { natcasesort ( $dirlist ) ; }
return ( $dirlist ) ;
}