mime-type validation
Posted: Fri Oct 02, 2009 12:23 am
This question has probably come up before. First of all, let me say...I am a complete beginner when it comes to PHP. Please dumb down your responses if you can lol I'll try my best to keep up.
I have a webform that allows users to upload files and sends them using PHP Post. I've already built in client side "extension validation" that runs when the submit button is pressed
I have a few questions regarding server side security and validation.
1.) Is it better to allow users to upload files to a secure directory on the server via the webform or to do as I am doing now with attaching the files and sending in email via PHP Post?
2.) Is it possible, using PHP, to check the mime-type of a file before its attached to email to make sure that it is really an image file? (The files are being uploaded via webform and sent as attachments using the PHP POST method, I would assume that there has to be a way to validate the mime-type using PHP before the POST operation begins or completes?)
3.) Is mime-type validation the most secure way on the server side to verify file contents?
4.) If I decide to allow users to upload files to a secure directory on the server, will it be possible, using PHP, to automatically create a subfolder/subdirectory named after one of the data entries made by the user on the webform, and have the image files placed in that subdirectory (and set permissions on the subdirectory)?
Thanks in advance!
Don
I have a webform that allows users to upload files and sends them using PHP Post. I've already built in client side "extension validation" that runs when the submit button is pressed
I have a few questions regarding server side security and validation.
1.) Is it better to allow users to upload files to a secure directory on the server via the webform or to do as I am doing now with attaching the files and sending in email via PHP Post?
2.) Is it possible, using PHP, to check the mime-type of a file before its attached to email to make sure that it is really an image file? (The files are being uploaded via webform and sent as attachments using the PHP POST method, I would assume that there has to be a way to validate the mime-type using PHP before the POST operation begins or completes?)
3.) Is mime-type validation the most secure way on the server side to verify file contents?
4.) If I decide to allow users to upload files to a secure directory on the server, will it be possible, using PHP, to automatically create a subfolder/subdirectory named after one of the data entries made by the user on the webform, and have the image files placed in that subdirectory (and set permissions on the subdirectory)?
Thanks in advance!
Don