verifying file types
Posted: Mon Oct 30, 2006 8:31 am
my upload form uses the move_uploaded_file() to upload an image to a specified target folder on my web server. i have verified this works on my local test server so im *assuming* it should work once the upload form goes live.
now this is my first attempt at doing this and im trying to place an emphasis on security and my concerns are:
1) only jpegs allowed
there are limitations on using $_FILES['file']['type'] and mime_content_type() and are easily forged. ive read that files of different types will have a unique starting structue (JPEG is FF D8 FF) so this has given me the idea of checking the file structure to verify its contents although im not entirly sure how to go about doing this.
2) max file size of 2mb
pretty straight forward to check
3) limit on characters in file name
again this should be pretty straight forward to check
any pointers for writing a sound and secure upload form would be greatly appreciated.
thanks
now this is my first attempt at doing this and im trying to place an emphasis on security and my concerns are:
1) only jpegs allowed
there are limitations on using $_FILES['file']['type'] and mime_content_type() and are easily forged. ive read that files of different types will have a unique starting structue (JPEG is FF D8 FF) so this has given me the idea of checking the file structure to verify its contents although im not entirly sure how to go about doing this.
2) max file size of 2mb
pretty straight forward to check
3) limit on characters in file name
again this should be pretty straight forward to check
any pointers for writing a sound and secure upload form would be greatly appreciated.
thanks