$_FILES['file']['type'] Question

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
santomonasterio
Forum Newbie
Posts: 1
Joined: Tue Jun 24, 2008 8:01 am

$_FILES['file']['type'] Question

Post by santomonasterio »

The information inside $_FILES['file']['type'] is the one provided by the browser ?
Or PHP/Apache get this info by itself ?

Thanks :mrgreen:
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: $_FILES['file']['type'] Question

Post by Mordred »

RTFM
Unsafe.
LBmtb
Forum Newbie
Posts: 23
Joined: Wed May 14, 2008 11:14 am

Re: $_FILES['file']['type'] Question

Post by LBmtb »

Lots of things to do when doing file uploads. First of all and maybe most importantly, use is_uploaded_file() (move_uploaded_file() checks for that automatically, btw). Do you have a whitelist of files types you accept from the user? If so add in validation that checks for those types.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: $_FILES['file']['type'] Question

Post by Mordred »

http://www.scanit.be/uploads/php-file-upload.pdf for starters
There are some issues with that paper, which I'm too lazy to write about yet, but it covers the basics and (hopefully) eliminates the most stupid mistakes one can make.
Post Reply