[nycphp-talk] uploaded files
Daniela Gutierrez
daniela at ula.ve
Wed Jul 26 15:01:04 EDT 2006
Thanks to tedd and rahmin fro their answers, I'm gonna try to do what
you advice me, i hope that will help me secure a little bit more my site.
Thanks again
tedd wrote:
>At 12:23 PM -0400 7/26/06, Rahmin Pavlovic wrote:
>
>
>>On 7/26/06 11:37 AM, "Daniela Gutierrez" <daniela at ula.ve> wrote:
>>
>>
>>
>>> Hi everybody!
>>>
>>> I would like to know how to verify that the files they had been uploaded
>>> by some user are j peg, because I only want them to upload images and I
>>>
>>>
>> > also want to be sure that they are not uploading some kind of malicious
>> > files.
>>
>>if (stristr($_FILES['file_field']['name'],'.jpg')=='' &&
>> stristr($_FILES['file_field']['name'],'.jpeg')=='') {
>> // not okay
>>}
>>else {
>> // okay
>>}
>>
>>That just checks for the existence of the file-extension in the filename
>>(which you can tighten up), but I'm guessing you can do something similar to
>>the following if you have a recent version of GD installed:
>>
>>if(!imagecreatefromjpeg($_FILES['file_field']['tmp_name'])) {
>> // file doesn't appear to be a valid jpeg
>>}
>>
>>
>
>In addition to that, you might resample the image to a different
>size, or convert to another format, or cut, or crop, or merge with
>another image (i.e., copyright). If it is malicious code, then that
>should cause the offending code some problems -- however -- I've
>never encountered any malicious code, it's just an idea.
>
>Furthermore, if you get the image size via:
>
>$imageArray = getimagesize("the.jpg");
>
>and dump the array.
>
>print_r($imageArray);
>
>You will see several data that you could test for.
>
>I'm entertaining the same problem.
>
>hth's
>
>tedd
>
>
More information about the talk
mailing list