upload files

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
kippy
Forum Commoner
Posts: 84
Joined: Wed Jun 07, 2006 8:25 pm

upload files

Post by kippy »

What is the best way to define a set of file types for uploads?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

The best? Db table or config array - both will work well if handled properly.
kippy
Forum Commoner
Posts: 84
Joined: Wed Jun 07, 2006 8:25 pm

Post by kippy »

Thanks for the quick response....

So basically I can set up an array with extensions and compare it to the $_FILE$[$filename]['type'] ?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

Comparing file extension to type makes little sense because of:
PHP manual wrote: $_FILES['userfile']['type']

The mime type of the file, if the browser provided this information. An example would be "image/gif". This mime type is however not checked on the PHP side and therefore don't take its value for granted.
kippy
Forum Commoner
Posts: 84
Joined: Wed Jun 07, 2006 8:25 pm

Post by kippy »

I see...I guess I am confused then on how I will use the array?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

The config array will define what the allowed types are. In order to get the type from the file, however, you will have to sniff it using mime magic (if you have fileinfo, use finfo_file(), you can also try mime_content_type())
Post Reply