This is a simple question, and I'm sure I could figure it out myself, but I wanted some of your ideas. How would you protect users from uploading malicious code through forms. For example. Say I wanted to cause harm to this forum and decided I hated the php forum so I wanted to just delete the directory. My first plan would be to post the following code in one of my threads

PHP Code:

<?php
rmdir('php-forum');
?>

Of course, I would do this without the code tags around it. How could you protect your forms from code like this. I believe this forum converts symbols like < to &lt; and I think this is a simple security feature they use to protect there forums, and I know how to do this with php, but are there better more advanced ways of protecting yourself?

Thanks

As long as you don't do anything like:

PHP Code:

eval($_POST['formdata']); 


This shouldn't be a problem. Code submitted via a form is never evaluated as PHP code unless the coder does so explicitly. So without any validation or character conversion, form data is still safe from what I suppose you would call a PHP injection.

By the way, the code you posted most likely would just generate a warning. I really doubt there is a physical directly on this server called php-forum. The illusion of a directory structure is generated through htaccess.

The key thing is to ensure that the file is never on the server in an executable format or, as Matt said, executed directly. To ensure this (as well as conserve space), I zip the files upon upload.