If you've ever opened or executed any user-uploaded file on the server, you should expect that your server is now compromised.
Even a JPG can contain executable php. If you include
or require
the file in any way in your script, that can also compromise your server. An image you stumble upon on the web served like so...
header('Content-type: image/jpeg');
header('Content-Disposition: inline; filename="test.jpg"');
echo file_get_contents('/some_image.jpg');
echo '<?php phpinfo(); ?>';
... which you save and re-host on your own server like so...
$q = $_GET['q']; // pretend this is sanitized for the moment
header('Content-type: '.mime_content_type($q));
header('Content-Disposition: inline; filename="'.$_GET['q'].'"');
include $q;
...will execute phpinfo()
on your server. Your site users can then simply save the image to their desktop and open it with notepad to see your server settings. Simply converting the file to another format will discard that script, and should not trigger any actual virus attached to the file.
It might also be best to do a virus search on upload. You should be able to do an inline system command to a checker and parse its output to see if it finds any. Your site users should be checking files they download anyway.
Otherwise, even a virus laiden user uploaded file just sitting there on your server shouldn't harm anything... as far as I know.