I want to facilitate users to upload profile picture from front end on my WordPress blog. I found a plugin "ad local avatar" which can help me for the same (I hadn't tried it until now).

But I fear what might happen if a user uploads a very big size file, or a virus infected file. How can I do following in WordPress (or PHP):

1. File size check before saving it to server. (Checking file size while it is being uploaded)
2. Scan file contents

1. File size check before saving it to server. (Checking file size while it is being uploaded)

The maximum file size is being checked by PHP when it decodes the POST request. It's set in the php.ini with upload_max_filesize. It's usually around 10MB or so.

But you can easily set your application specific maximum filesize with a simple test:

if ($_FILES["image"]["size"] >= 500000) {

Then react accordingly and print an error message. 500K should be more than enough for profile images and avatars.

2. Scan file contents

You will need to install a virus scanner on the server then. There are various available. Since it is open source, many Unix/Linux servers might have clamav. It can be utilized like this from PHP:

exec("clamscan '$filename'", $output, $result);

if ($result === 0) {
     // everything ok
}

The output status $result would be 1 for a virus or 2 for other errors.