On 10/27/05, Nicob <nicob@xxxxxxxxx> wrote: > Le mardi 25 octobre 2005 à 17:02 -0400, Paul Laudanski a écrit : > > > > Anyone have other ideas on this? I've already implemented some code > > to validate file input and its working. But is this the right > > approach? > > I'm not sure to understand what you're talking about but if you're > trying to positively validate that file XYZ is an image and not a PHP > file, you're asking for trouble : > If your web application provides a mechanisim for users to upload photos then the best solution so far that I've found is this. . If you are storing the file in the file system, log it with a non-guessable filename, or better yet, outside the webroot. . Govern all access to this image by directing access through a script that acts as a proxy. Spit the binary data back out to the browser, but make certain that you are setting the Content-Disposition: attachment HTTP header. This will cause all direct hits to this file to be downloaded to the client workstation rather than executing the file in the context of the hosting domain, but still allow <img> tags to function properly. And this technique is applicable for any type of file upload your site might be providing. Comments? And I really don't see how this could ever be used to execute server-side script unless for some bizarre reason you had your webserver so completely misconfigured as to be beyond imagination. Why would you be parsing image files through the PHP interpreter. We're talking about two completely different issues
