Can you get to the file via http?

If so - put it in a directory that is not visible from the web.

^^^

Yep, on most server/hosts it's called private_html, but you get the idea. If this uploader is your own creation you could check that the file type is as it should be. Basic security there.

Cheers,
MRb

Checking extension is a waste of time, all anyone needs to do is change the extension of an executable. You'd probably want to cleanse the input file thoroughly line by line. Something like

$delimiter = '|'; // , "?,"?, \t, etc.

$err = cleanse_upload($delimiter,$file);
if $err { // some error response here }

A decent start is:

if (preg_match('/[^\w\d\s$delimiter]/',$file)) {
return "Bad data";
}

"Anything not a word character, digit, whitespace, return an error"

Then go through line by line, cleansing. You could do the entire block but there may be some fields you want to examine differently.

foreach ($lines as $line) {

//Throw away everything you don't want.
// Note a-z is not the same as \w
// This will disable <script> but leave "script"
// in so you can see what they are up to.
// Translation: remove anything not these
$line = preg_replace('/[^a-z\d\s,\.\"\'$delimiter]/i','',$line);

// Then explode on the delimiter, run the standard stuff:
// escape strings, etc., then reassemble it
}