[nycphp-talk] uploaded files
tedd
tedd at sperling.com
Wed Jul 26 13:21:19 EDT 2006
At 12:23 PM -0400 7/26/06, Rahmin Pavlovic wrote:
>On 7/26/06 11:37 AM, "Daniela Gutierrez" <daniela at ula.ve> wrote:
>
>> Hi everybody!
>>
>> I would like to know how to verify that the files they had been uploaded
>> by some user are j peg, because I only want them to upload images and I
> > also want to be sure that they are not uploading some kind of malicious
> > files.
>
>if (stristr($_FILES['file_field']['name'],'.jpg')=='' &&
> stristr($_FILES['file_field']['name'],'.jpeg')=='') {
> // not okay
>}
>else {
> // okay
>}
>
>That just checks for the existence of the file-extension in the filename
>(which you can tighten up), but I'm guessing you can do something similar to
>the following if you have a recent version of GD installed:
>
>if(!imagecreatefromjpeg($_FILES['file_field']['tmp_name'])) {
> // file doesn't appear to be a valid jpeg
>}
In addition to that, you might resample the image to a different
size, or convert to another format, or cut, or crop, or merge with
another image (i.e., copyright). If it is malicious code, then that
should cause the offending code some problems -- however -- I've
never encountered any malicious code, it's just an idea.
Furthermore, if you get the image size via:
$imageArray = getimagesize("the.jpg");
and dump the array.
print_r($imageArray);
You will see several data that you could test for.
I'm entertaining the same problem.
hth's
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
More information about the talk
mailing list