NYCPHP Meetup

NYPHP.org

[nycphp-talk] uploaded files

Daniela Gutierrez daniela at ula.ve
Wed Jul 26 15:01:04 EDT 2006


Thanks to tedd and rahmin fro their answers, I'm gonna try to do what 
you advice me, i hope that will help me secure a little bit more my site.
Thanks again

tedd wrote:

>At 12:23 PM -0400 7/26/06, Rahmin Pavlovic wrote:
>  
>
>>On 7/26/06 11:37 AM, "Daniela Gutierrez" <daniela at ula.ve> wrote:
>>
>>    
>>
>>> Hi everybody!
>>>
>>> I would like to know how to verify that the files they had been uploaded
>>> by some user are j peg, because I only want them to upload images and I
>>>      
>>>
>> > also want to be sure that they are not uploading some kind of malicious
>> > files.
>>
>>if (stristr($_FILES['file_field']['name'],'.jpg')=='' &&
>>    stristr($_FILES['file_field']['name'],'.jpeg')=='') {
>>    // not okay
>>}
>>else {
>>    // okay
>>}
>>
>>That just checks for the existence of the file-extension in the filename
>>(which you can tighten up), but I'm guessing you can do something similar to
>>the following if you have a recent version of GD installed:
>>
>>if(!imagecreatefromjpeg($_FILES['file_field']['tmp_name'])) {
>>    // file doesn't appear to be a valid jpeg
>>}
>>    
>>
>
>In addition to that, you might resample the image to a different 
>size, or convert to another format, or cut, or crop, or merge with 
>another image (i.e., copyright). If it is malicious code, then that 
>should cause the offending code some problems -- however -- I've 
>never encountered any malicious code, it's just an idea.
>
>Furthermore, if you get the image size via:
>
>$imageArray = getimagesize("the.jpg");
>
>and dump the array.
>
>print_r($imageArray);
>
>You will see several data that you could test for.
>
>I'm entertaining the same problem.
>
>hth's
>
>tedd
>  
>




More information about the talk mailing list