my upload form uses the move_uploaded_file() to upload an image to a specified target folder on my web server. i have verified this works on my local test server so im *assuming* it should work once the upload form goes live.
now this is my first attempt at doing this and im trying to place an emphasis on security and my concerns are:
1) only jpegs allowed
there are limitations on using $_FILES['file']['type'] and mime_content_type() and are easily forged. ive read that files of different types will have a unique starting structue (JPEG is FF D8 FF) so this has given me the idea of checking the file structure to verify its contents although im not entirly sure how to go about doing this.
2) max file size of 2mb
pretty straight forward to check
3) limit on characters in file name
again this should be pretty straight forward to check
any pointers for writing a sound and secure upload form would be greatly appreciated.
thanks
verifying file types
Moderator: General Moderators
Re: verifying file types
$_FILES[...]['type'] yes, mime_content_type() not so easy, becausesh33p1985 wrote:1) only jpegs allowed
there are limitations on using $_FILES['file']['type'] and mime_content_type() and are easily forged.
that's more or less what mime_content_type() does. It compares the file contents (not all of it, only the first significant bytes) with patterns of know file types.sh33p1985 wrote: ive read that files of different types will have a unique starting structue (JPEG is FF D8 FF) so this has given me the idea of checking the file structure to verify its contents although im not entirly sure how to go about doing this.
see also http://de2.php.net/getimagesize
define the limits.sh33p1985 wrote:3) limit on characters in file name
again this should be pretty straight forward to check
More helpful info here - viewtopic.php?p=119445#119445
-
kettle_drum
- DevNet Resident
- Posts: 1150
- Joined: Sun Jul 20, 2003 9:25 pm
- Location: West Yorkshire, England
As volka said the best way to check the mime type is to use the getimagesize() function. As for limiting the characters in the file name - I would personally just rename the files in a standard way so that you dont even need to check for whitespace or other potential illegal file names - if you really need to know what the user named the file, then store this with a reference to the file in a database.
I find there is nothing worse from a usability point of view when a site just throws back errors instead of at least trying to use the data that was submitted.
I find there is nothing worse from a usability point of view when a site just throws back errors instead of at least trying to use the data that was submitted.