hi. I know how to validate images upload, but how do I validate .pdf and .doc files, I know file extension is not the best way.
Thanks
howto validate .pdf .doc upload?
Moderator: General Moderators
Re: howto validate .pdf .doc upload?
Since you're asking in "Security", I assume that you're worried about backdoor installation. I don't think there's a viable way to check the contents of any file and find if it's secure to have on the server. So don't!
- Upload the files in a folder outside of the webroot, or if not possible, one which has the php engine disabled (via .htaccess).
- Don't use ANY PART of the user-supplied file name. Generate a random one, keep the real one in the db if you must.
- If possible, serve the file through a PHP script (i.e. keep the true filename completely secret from the user)
- Don't have LFI vulnerabilities
(the previous point will help though)
If you just want to know if the files look at least superficially as docs and pdfs - check the corresponding file formats and look in the file headers.
- Upload the files in a folder outside of the webroot, or if not possible, one which has the php engine disabled (via .htaccess).
- Don't use ANY PART of the user-supplied file name. Generate a random one, keep the real one in the db if you must.
- If possible, serve the file through a PHP script (i.e. keep the true filename completely secret from the user)
- Don't have LFI vulnerabilities
If you just want to know if the files look at least superficially as docs and pdfs - check the corresponding file formats and look in the file headers.
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
Re: howto validate .pdf .doc upload?
There are ways to test the file's mime-type, but it's a bit of a mess in PHP at the moment. A quick search of the forums should reveal about 3 different methods, with related pros and cons.