I absolutely love the jQuery Uploadify plugin. It makes uploading multiple files extremely easy for any level of user. The one major problem I had was the security, so I checked some blogs, found out some methods people were using to add security and compiled my own.

Without some sort of protection the script is EXTREMELY vulnerable. If I can find your uploadify.php file I can pass anything I want to it. Best case scenario some porn or malicious content, worst case I upload a script that allows me to access your config files, scan your entire server, etc...

Step 1: Make sure you assign some sort of session variable to check that the user is accessing this legitamitely:

session_start();
$_SESSION['something']='some_val';

Step 2: Modify the 'script' variable to include the following:

'script' : 'uploadify.php?session_id=<?php echo(session_id());?>',

This will pass the session id in the query so you can utilize it in the next step...

Step 3: Modify the uploadify.php file (add to the beginning of the file):

session_id($_GET['session_id']);
session_start();

if(!isset($_SESSION['something'])) {
  header("HTTP/1.0 404 Not Found");
  exit;
}

This fix allows you to pass the session_id so that the script can access it regardless of the fact that it's being called completely behind the scenes and never touches the user sessions.

That's pretty much it. No session = no access to the script. I've done some testing and it works perfectly.