brokenhope

I have added an uploader to my website. It is a simple multi file uploader.

I want to keep adding features to it, but one thing stumps me, the security.

When a user chooses a file(s) to upload, it is uploaded in a specified subdirectory within the upload directory, under its original file name. That is one thing I need to do something with, so far my script checks:

-Checks if a file with that filename already exists, if so it added a numerical prefix to the file name.
-Checks if the format is valid, I only block .exe formats at this moment.
-Checks if the format is a "convert to .txt" format, which includes: html, xhtml, css, js, php, php3, php4, php5, xml, etc

and otherwise the file is uploaded with its original file name as is. Anyone have some pointers on some security I can add, as in checking the file name, invalid characters in a file name, etc...


Next is the specified upload directory, I know they can somehow reach other directorys with slashes and periods or something, how would I go about making sure the specified directory is only valid alpha numeric characters?

Same goes for the create directory function, I can only have them entering alpha numeric characters.

Thank you for reading, I am a bit rusty at PHP lately, just picked up on my project after nearly a year break from it.