Comment Re:Every language is unsafe. (Score 2) 145
is it generally safe to store them in a
.htaccess-restricted folder provided that the filename has been cleansed of path separators
The htaccess restriction is important to prevent one of the other leading causes of PHP vulnerability: Allowing someone to upload a valid jpeg with a
Part of the reason why PHP is such a large gun for shooting yourself in the foot is that it mixes content and code by design, so you have to have a few extra precautions when accepting content from somewhere else that it doesn't have unwanted code mixed in. Some of the precautions are basic PHP (like "include() is not how you read a file"), others take a little more awareness of the entire environment (like "the webserver will happily execute anything anyone uploads with a php extension in a folder accessible from the web").