// simple safe-upload sketch (illustrative only)
$allowed_ext = ['jpg','jpeg','png','gif','pdf'];
$max_size = 5 * 1024 * 1024; // 5 MB

if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_FILES['file'])) {
    $f = $_FILES['file'];
    if ($f['error'] !== UPLOAD_ERR_OK) { exit('upload error'); }
    if ($f['size'] > $max_size) { exit('too large'); }

    // check extension
    $ext = strtolower(pathinfo($f['name'], PATHINFO_EXTENSION));
    if (!in_array($ext, $allowed_ext)) { exit('ext not allowed'); }

    // check real mime type
    $finfo = finfo_open(FILEINFO_MIME_TYPE);
    $mime = finfo_file($finfo, $f['tmp_name']);
    finfo_close($finfo);
    $allowed_mimes = ['image/jpeg','image/png','image/gif','application/pdf'];
    if (!in_array($mime, $allowed_mimes)) { exit('mime mismatch'); }

    // optional: image-specific check
    if (strpos($mime,'image/') === 0) {
        if (!@getimagesize($f['tmp_name'])) { exit('not an image'); }
    }

    // store outside webroot
    $storage = '/var/www/uploads_storage/'; // ensure outside public dir
    if (!is_dir($storage)) mkdir($storage, 0700, true);

    // random filename
    $newname = bin2hex(random_bytes(16)) . '.' . $ext;
    $dest = $storage . $newname;

    if (move_uploaded_file($f['tmp_name'], $dest)) {
        // set safe permissions
        chmod($dest, 0640);
        echo 'uploaded';
    } else {
        echo 'move failed';
    }
}