Can any of these files execute virus on a server?

Can any of the below file types execute a virus or harm the server in any way?

pdf, .png, .jpg, .doc, 开发者_StackOverflow社区.docx, .xls, .xlsx, .ppt, .pptx, .gif.

The question itself has no reason to be, as the answers given so far (I'm sorry to tell this). Don't take all of this as a criticism: I explain myself.

You can even upload TheWorstVirusInTheWorld.exe on your server, but it won't be harmful until it's actually executed. Unless the operating system and/or its shell or other programs (or scripts) have severe bugs, no code is executed automagically, in the sense of 'without the sysadmin knowing'.

See virustotal.com. They are requesting you to upload suspicious executables in order to tell whether they're viruses or not. Do they fear this? Hell no. That's because the file is uploaded on the server, and then read by a tool you can call 'antivirus' that doesn't execute them.

So the question can be this one: "which kind of files can be safely executed on my server?" The answer is: no files coming from unknown sources. The extension of the files is totally irrelevant: on UNIX systems you can execute any file (even .doc) that has the 'execute' bit (=attribute) set.

Hackers and lamers won't act as you expect. They're not uploading common viruses on your server, and if they do, they have to execute them, and if they can execute something on your server, well your server is already gone, and all your efforts to sanitize file extensions are rubbish.

@AAA: The process will be like so:

1) The user upload a file, say test.exe.

2) When it received by server, you extract the extension and store it in database with the name of file, so you can know witch file have type extension.

3) When a user request a file , you query both file extension and its name, assemble them and finally send it to user.

Note: You may have duplicate name problem, it will be better if you generate a fixed length of random string and past it with file name in begging of file name as example.

Noting that this is listed under 'PHP Upload", I believe he's talking about remote exeuction. If that is the case they should all be safe. The usual list of things I block is in this htaccess list here

<Files ~ "\.(php|php3|php4|php5|phtml|pl|py|psp|js|jsp|cgi|util)$">
    Order deny,allow
    Deny From All
</Files>