TalkPHP

TalkPHP (http://www.talkphp.com/forums.php)
-   General (http://www.talkphp.com/general/)
-   -   Image Uploading (http://www.talkphp.com/general/2185-image-uploading.html)

Orc 02-04-2008 04:49 PM
Image Uploading
 
When making an upload script, does the name key ( e.g.
PHP Code:
$_FILES['image']['name'
) contain the file type aswell? (e.g. .JPG) or do I have to just get that from
PHP Code:
$_FILES['image']['type'
Just wondering. :]

Village Idiot 02-04-2008 05:00 PM
Edit: I feel like an idiot. Yes it does contain the extention. But the type var does not contain data like .jpg

PHP: Handling file uploads - Manual
A complete reference on that.

For your question, type returns the MIME type. But do NOT rely on this because it is not checked for authenticity and can be forged. What I do is this

PHP Code:
$filetype2 explode('.',$file_name);
$filetype $filetype2[sizeof($filetype2)-1];
$filetype strtolower($filetype);


if($filetype == 'jpeg' ||
$filetype == 'jpg')
{
//continue
That gets the value after the last period (so filename.jpg.php cant trick it like it can some). As long as the last extension is acceptable, the server will run it as that no matter what content.

Note: We subtract one from sizeof because it starts at one, not zero like arrays do.

Salathe 02-04-2008 06:43 PM
You state that people shouldn't rely on the MIME type passed along with the uploaded file, because it is not checked for authenticity and can be forged, but have no qualms with 'trusting' the file extension?

Also, using an alternative method, the extension can be grabbed with: $ext = pathinfo($filename, PATHINFO_EXTENSION);

Finally, to answer the original question posed by Orc, $_FILES[...]['name'] will contain the name of the file as sent by the browser (eg. myimage.jpg), extension and all.

Village Idiot 02-05-2008 12:49 AM
If the files name extension is correct it cannot pose a threat, the server runs files based off what those letters are. It doesn't matter what code you put in a jpg, it cant execute a script unless there is some serious error with the server OS.

Orc 02-06-2008 06:52 PM
Thanks guys. I was just trying to only strict .GIF .PNG .JPG image types, to others by throwing an exception if they don't match with gif nor png nor jpg.

EyeDentify 02-07-2008 12:22 PM
Im in the process of developing a fileserver platform for personal use and for the fun of it, powered by PHP5 and MySQL.

And so far i´ve built in Mime checks, and Size checks. and will use Salathe´s method to check the file extensions also.

For double security.

Would one check for something else ?

I was thinking about using some image functions to make sure "image.jpg" are in fact a image file.

/EyeDentify

Village Idiot 02-07-2008 03:08 PM
Either one should work, I dont see why you need to be redundant. If you want to make tripple sure it is a valid image, run it though a GD process, it will return an error if the image isnt valid. Although for speed reasons that would be a ridiculous measure.


All times are GMT. The time now is 10:42 AM.

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0