Check "HTTP_RAW_POST_DATA" type before writing the file ?
Posted: Wed Jul 08, 2009 11:21 am
Hi everyone !
I spent the day making searches on the web, but I can't find what I'm looking for.
I guess there will be someone here that will be able to help me on this...
So I've got a Flash application wich allows the user to draw whatever they want to and send me the resulting image.
I use the JPGEncoder class in ActionScript 3, it generates a ByteArray, then I call a PHP script to handle the file creation.
Here's a part of the AS3 code :
And here's the PHP code I use to create the file on the server :
But of course I can't use this safely, for I guess anyone could send any raw data to the PHP script and make it write a corrupted file on the server.
So my first question is :
Is there a way to perform a type check on HTTP_RAW_POST_DATA to make sure it actually is a jpg image file ?
Or is there a way (other than HTTP_RAW_POST_DATA) to get the data that will allow this kind of check ?
If not :
Could I avoid writing the file on the server and send it directly to me attached to an email ?
But would it be safer ?
Thank you for your help !
I spent the day making searches on the web, but I can't find what I'm looking for.
I guess there will be someone here that will be able to help me on this...
So I've got a Flash application wich allows the user to draw whatever they want to and send me the resulting image.
I use the JPGEncoder class in ActionScript 3, it generates a ByteArray, then I call a PHP script to handle the file creation.
Here's a part of the AS3 code :
Code: Select all
var _JPGByteArray:ByteArray = _JPGEncoder.encode( _finalBitmapData );
var _saveURLRequestHeader:URLRequestHeader = new URLRequestHeader( "Content-type", "application/octet-stream" );
var _saveURLRequest:URLRequest = new URLRequest( "save_jpg.php?name=" + _finalName );
_saveURLRequest.requestHeaders.push( _saveURLRequestHeader );
_saveURLRequest.method = URLRequestMethod.POST;
_saveURLRequest.data = _JPGByteArray;
var _saveURLLoader:URLLoader = new URLLoader();
_saveURLLoader.dataFormat = URLLoaderDataFormat.BINARY;
_saveURLLoader.addEventListener( Event.COMPLETE, _saveComplete );
_saveURLLoader.load( _saveURLRequest );
Code: Select all
<?php
if( isset( $GLOBALS[ "HTTP_RAW_POST_DATA" ] ) )
{
$jpg = $GLOBALS[ "HTTP_RAW_POST_DATA" ];
if( $fp = fopen( "drawings/".$_GET[ 'name' ], 'w' ) )
{
if( fwrite( $fp, $jpg ) )
{
if( fclose( $fp ) )
{
echo 'ok';
}
else
{
echo 'fclose_failed';
}
}
else
{
echo 'fwrite_failed';
}
}
else
{
echo 'fopen_failed';
}
}
else
{
echo 'process_failed';
}
?> So my first question is :
Is there a way to perform a type check on HTTP_RAW_POST_DATA to make sure it actually is a jpg image file ?
Or is there a way (other than HTTP_RAW_POST_DATA) to get the data that will allow this kind of check ?
If not :
Could I avoid writing the file on the server and send it directly to me attached to an email ?
But would it be safer ?
Thank you for your help !