Page 1 of 1
First regex
Posted: Wed Jul 02, 2008 1:25 pm
by duveit
This is a complete newb question, I've studied the reference at
http://www.regular-expressions.info/reference.html for a bit. As I want to make a check on user input on filetypes using the filename, so that no scripts etc, may not be uploaded.
Code: Select all
<?php
$fileName = "mein.jpg";
$regex = '[color=#FF0000](\.(jpg|png|gif))$[/color]';
if(!eregi($regex,$fileName)) echo "Not accepted: ".$fileName." - ".$regex ;
else echo "Accepted: ".$fileName." - ".$regex ;
?>
This seems to work when I test it, however I'd like to ask you pro's if there is some flaw to it, seeing how this bit is critical for safety.
Re: First regex
Posted: Wed Jul 02, 2008 1:48 pm
by prometheuzz
duveit wrote:This is a complete newb question, I've studied the reference at
http://www.regular-expressions.info/reference.html for a bit. As I want to make a check on user input on filetypes using the filename, so that no scripts etc, may not be uploaded.
Code: Select all
<?php
$fileName = "mein.jpg";
$regex = '[color=#FF0000](\.(jpg|png|gif))$[/color]';
if(!eregi($regex,$fileName)) echo "Not accepted: ".$fileName." - ".$regex ;
else echo "Accepted: ".$fileName." - ".$regex ;
?>
If you are only interested in files whose names end with ".jpg", ".png" or ".gif" (case insensitive), then yes, that is correct.
duveit wrote:This seems to work when I test it, however I'd like to ask you pro's if there is some flaw to it, seeing how this bit is critical for safety.
Of course, one can rename an arbitrary file with one of those extensions "jpg", "png" or "gif". Just because a file ends with ".jpg", it doesn't mean it really
is a JPG image.
Re: First regex
Posted: Wed Jul 02, 2008 2:25 pm
by duveit
prometheuzz wrote:Of course, one can rename a file that in neither of the type you accept by changing the file-name. Just because a file ends with ".jpg", it doesn't mean it really is a JPG image.
That's true enough, but having i.e. a php script named image.jpg , wouldnt be a issue as it wouldnt go through the php or any other script-interpretor. (I'd think). Although, checking file type with php::finfo_file() function for the mimetype, is something I should add I reckon.
Thanks for feedback!
Re: First regex
Posted: Wed Jul 02, 2008 2:30 pm
by prometheuzz
duveit wrote:...
Thanks for feedback!
You're welcome.