How secure laravel is when it comes to file upload with onboard validation

Laravel will by default not protect you against anything! You can let Laravel handle the upload process and validate on file size and file extension but that's it. So if you want to make sure weird files are not being uploaded make sure you check on certain file extensions like pdf, etc.

Checking if a file is secure or not is a whole different story. Companies have been building years to build this kind of software, so just building it into a Laravel app is not just easily done (if you want to do it perfectly).

It's always wise to store uploaded files in a different location than the server itself. For example AWS S3.

in case anybody need such secure file uploader, i have made a research regarding this and it looks like the best way to do this in addition to what @bobbybouwmann suggested above, File storage should be outside public folder so if a user was able to upload malicious files they will never be able to to run the script from the browser (in most cases hackers will upload shell script from available file uploader then run script from browser) by hitting the files location endpoint.

shell files mainly looks like this

29384792837492384.php.jpg 

so the file are actually contained in a mime type image/jpeg and you need to make sure to remove unwanted extensions from the file name and make unique code for every stored file on your DB.

UUID something like this domain/923874923749283749234 

on your controller you need to get the file with proper uuid, have a look at @bobbybouwmann suggestion for this issues in our last conversation.

https://laracasts.com/discuss/channels/laravel/how-to-access-image-folder-stored-outside-public-folder

hope this help those who are trying to make secure file management process with laravel.

Thanx

@nhayder Thanks for sharing ;)