howto validate .pdf .doc upload?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

howto validate .pdf .doc upload?

Post by jmut »

hi. I know how to validate images upload, but how do I validate .pdf and .doc files, I know file extension is not the best way.
Thanks
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: howto validate .pdf .doc upload?

Post by Mordred »

Since you're asking in "Security", I assume that you're worried about backdoor installation. I don't think there's a viable way to check the contents of any file and find if it's secure to have on the server. So don't!

- Upload the files in a folder outside of the webroot, or if not possible, one which has the php engine disabled (via .htaccess).
- Don't use ANY PART of the user-supplied file name. Generate a random one, keep the real one in the db if you must.
- If possible, serve the file through a PHP script (i.e. keep the true filename completely secret from the user)
- Don't have LFI vulnerabilities ;) (the previous point will help though)

If you just want to know if the files look at least superficially as docs and pdfs - check the corresponding file formats and look in the file headers.
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Re: howto validate .pdf .doc upload?

Post by Kieran Huggins »

There are ways to test the file's mime-type, but it's a bit of a mess in PHP at the moment. A quick search of the forums should reveal about 3 different methods, with related pros and cons.
Post Reply