Page 1 of 1
[Solved]Upload ==> File Ext Check
Posted: Fri Oct 28, 2005 4:08 pm
by scts102
Hey,
I have a simple form that uploads an image to my webserver. The form is on, lets call it index.php
index.php POSTs to process.php, which does sql entries and the like. Here is my question: without using the browser mime types, how can I determine the type of file uploaded? And if it is not from a list of accepted exts, then remove the file?
Thanks.
Re: Upload ==> File Ext Check
Posted: Fri Oct 28, 2005 5:58 pm
by alex.barylski
scts102 wrote:Hey,
I have a simple form that uploads an image to my webserver. The form is on, lets call it index.php
index.php POSTs to process.php, which does sql entries and the like. Here is my question: without using the browser mime types, how can I determine the type of file uploaded? And if it is not from a list of accepted exts, then remove the file?
Thanks.
Could you not just use
pathinfo and check the extension against an array of allowed file types???
The other more elaborate way would be to open files upon uploading and check the files header for known signatures or magic cookies...
For instance BMP files or GIF files have (I can't remember where exactly) within the first couple of bytes strings such as like "BM" (BITMAPS) or "GIF89a" (GIF).
Of course...the problems with this approach are obvious
EDIT Sorry...to complete your question...
Code: Select all
$tmp_arr = pathinfo($path); // $path is the file just uploaded
$ext_allowed = strtolower($tmp_arr['extension']); // Get the file extension
// Array of safe file extensions to upload
$safe_ext = array('gif', 'bmp', 'jpeg', 'jpg'); // MUST be lower case!!!
if(array_key_exists($ext_allowed, $safe_ext))
// Move file to permanent location - other than temp directory
else{
// delete the file - it's not allowed
unlink($path);
}
HTH
Cheers
Posted: Sat Oct 29, 2005 12:18 pm
by scts102
That worked,
Thanks!