Hi
in [General]
|
Prev: PHP Modular application
Next: workflow system design
From: Richard Quadling on 6 Sep 2010 11:13 On 6 September 2010 15:04, ash(a)ashleysheridan.co.uk <ash(a)ashleysheridan.co.uk> wrote: > I think you should not focus so much on the file extension, as that is mostly meaningless if someone wanted to attack your system. > > Instead, you could wrap a call to the command line 'file' command, which gives mostly accurate information about a file. Basically it reads the first few bytes to see it is what it expected. There is a php wrapper for this, but I forget what its called just now. > > If you do need to just grab a file extension though, you can do it with a call to pathinfo() with the 2nd argument of PATHINFO_EXTENSION. > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > ----- Reply message ----- > From: "Jordan Jovanov" <jovanovjoce(a)gmail.com> > Date: Mon, Sep 6, 2010 14:46 > Subject: [PHP] Hi > To: <php-general(a)lists.php.net> > Cc: <jovanovjoce(a)gmail.com> > > > Hi All > > I need me a little help. > I create scripte for upload file is work very good but the problem is next: > I neet to upload only .zip file i need to disable some user to shoise to > upload another file Extensions. > > Can somebody help me. > > Thanks a lot. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > How is the ['type'] arrived at within PHP. Is this supplied by the web server? Or does PHP have to work it out before passing it to userland code? Either way, is it not accurate enough? -- Richard Quadling Twitter : EE : Zend @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY
From: "=?utf-8?B?YXNoQGFzaGxleXNoZXJpZGFuLmNvLnVr?=" on 6 Sep 2010 11:19 As far as I can remember It's supplied by the client user agent, hence the big issue with jpeg images uploaded by IE, as it uses a different type to all the other browsers. Thanks, Ash http://www.ashleysheridan.co.uk ----- Reply message ----- From: "Richard Quadling" <rquadling(a)gmail.com> Date: Mon, Sep 6, 2010 16:13 Subject: [PHP] Hi To: "ash(a)ashleysheridan.co.uk" <ash(a)ashleysheridan.co.uk> Cc: "Jordan Jovanov" <jovanovjoce(a)gmail.com>, <php-general(a)lists.php.net> On 6 September 2010 15:04, ash(a)ashleysheridan.co.uk <ash(a)ashleysheridan.co.uk> wrote: > I think you should not focus so much on the file extension, as that is mostly meaningless if someone wanted to attack your system. > > Instead, you could wrap a call to the command line 'file' command, which gives mostly accurate information about a file. Basically it reads the first few bytes to see it is what it expected. There is a php wrapper for this, but I forget what its called just now. > > If you do need to just grab a file extension though, you can do it with a call to pathinfo() with the 2nd argument of PATHINFO_EXTENSION. > > Thanks, > Ash > http://www.ashleysheridan.co.uk > > ----- Reply message ----- > From: "Jordan Jovanov" <jovanovjoce(a)gmail.com> > Date: Mon, Sep 6, 2010 14:46 > Subject: [PHP] Hi > To: <php-general(a)lists.php.net> > Cc: <jovanovjoce(a)gmail.com> > > > Hi All > > I need me a little help. > I create scripte for upload file is work very good but the problem is next: > I neet to upload only .zip file i need to disable some user to shoise to > upload another file Extensions. > > Can somebody help me. > > Thanks a lot. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > How is the ['type'] arrived at within PHP. Is this supplied by the web server? Or does PHP have to work it out before passing it to userland code? Either way, is it not accurate enough? -- Richard Quadling Twitter : EE : Zend @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY
From: chris h on 6 Sep 2010 15:09
On Mon, Sep 6, 2010 at 1:45 PM, chris h <chris404(a)gmail.com> wrote: > Per PHPdocs on $_FILES['userfile']['type']... > > "The mime type of the file, if the browser provided this information. An > example would be "image/gif". This mime type is however not checked on the > PHP side and therefore don't take its value for granted." > > > Personally I like to use the file right off-the-bat to ensure it's safe. > So if it's an image do some kind of image manipulation function on it, if > it's zip then use some zip functions on it (i.e. if you can read data from a > zip file using a zip function then it's probably a real zip file). It can > be slow, but handling user uploaded files is so dangerous that I think it's > typically the way to go. > > > Chris. > |