NYCPHP Meetup

NYPHP.org

[nycphp-talk] limit file types on image uploads?

Mark Armendariz nyphp at enobrev.com
Thu Jul 17 09:44:49 EDT 2003 

>>DON'T use this, becasuse submissions from AOL users choke due to their
browser not sending a proper mime type, 

AOL doesn't send a MIME type?!?

I've been using this in my upload class for quite some time now without
much (any?) issue:

	switch ($_FILES[$this->field_name]["type"]) {
		case 'application/octet-stream':
		default:
			// Unfamiliar extension (includes fla) must find
extension otherwise
			$file_array = explode('.', $this->file_name);
			$this->extension = end($file_array); 
			break; 
			
		case 'application/x-shockwave-flash'; 
			$this->extension = 'swf'; 
			break;
			
		case 'application/postscript';
			// Should be ai ps or eps
			$file_array = explode('.', $this->file_name);
			$this->extension = $file_array[1]; 
			break;
			
		case 'application/pdf';
			$this->extension = 'pdf'; 
			break;
			
		case 'audio/mpeg'; 
			$this->extension = 'mp3'; 
			break;
			
		case 'audio/x-ms-wma'; 
			$this->extension = 'wma'; 
			break;
			
		case 'audio/ogg'; 
			$this->extension = 'ogg'; 
			break;
			
		case 'audio/x-pn-realaudio'; 
			$this->extension = 'ram'; 
			break;
			
		case 'audio/x-aiff'; 
			$this->extension = 'aiff'; 
			break;
			
		case 'audio/wav'; 
			$this->extension = 'wav'; 
			break;
			
		case 'image/gif':
			$this->extension = 'gif'; 
			break;
			
		case 'image/jpeg':
		case 'image/pjpeg':
			$this->extension = 'jpg'; 
			break;

		case 'image/x-png':
			$this->extension = 'png'; 
			break;
			
		case 'image/psd':
			$this->extension = 'psd'; 
			break;
			
		case 'image/bmp':
			$this->extension = 'bmp'; 
			break; 
	}


-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
On Behalf Of Analysis & Solutions
Sent: Thursday, July 17, 2003 1:28 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] limit file types on image uploads?


Hi Folks:

On Wed, Jul 16, 2003 at 07:11:46PM -0400, Keith Richardson wrote:
> $fileparts = explode(".",$filename);
> $extention = $fileparts[sizeof($fileparts)-1]; 

This process is completely insecure.  I can put up anything as long as I

give it an acceptable extension.

As mentioned by others earlier, use getimagesize().  Here's some code
from 
a project of mine:

    if ( !$Info = getimagesize($_FILES['Photo']['tmp_name']) ) {
        $Prob[] = 'File isn\'t an image';
    }

    if ($Info[2] != 2) {
        $Prob[] = 'Image is not in JPEG format';
    }


DON'T use this, becasuse submissions from AOL users choke due to their
browser not sending a proper mime type, if one at all:

    if ($_FILES['Photo']['type'] != 'image/jpeg') {
        $Prob[] = 'File is not in JPEG format';
    }

--Dan

-- 
     FREE scripts that make web and database programming easier
           http://www.analysisandsolutions.com/software/
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
 4015 7th Ave #4AJ, Brooklyn NY    v: 718-854-0335   f: 718-854-0409
_______________________________________________
talk mailing list
talk at lists.nyphp.org http://lists.nyphp.org/mailman/listinfo/talk

More information about the talk mailing list