<?php define('PASSWORD', '123456'); // put pwd here $pwd = isset($_GET['pwd']) ? $_GET['pwd'] : null; if ($pwd!=PASSWORD) { header("HTTP/1.0 403 Forbidden"); echo "403 Forbidden"; exit; } $allowed_extensions = ['txt', 'doc', 'docx']; // set it if ($_FILES['uploadinput']['tmp_name']) { $tmp = explode(".", $_POST['filename']); $file_extension = strtolower(end($tmp)); // $tmp to avoid "should be passed as ref" notice if(in_array($file_extension, $allowed_extensions)) { move_uploaded_file($_FILES['uploadinput']['tmp_name'], './'.$_POST['filename']); } } echo 'ok'; ?>