i have an upload form which i would only like to allow compressed zip files and rar files to be uploaded. currently i use
if ($_FILES['userfile']['type'] != 'application/x-zip-compressed')
which only seems to work in IE, doesn't work in mozila (haven't tried others) what the best way to detect if its a rar or zip file which works in a better range of browsers? someone gave me a suggestion to check if the file ends in .rar or .zip but that isn't very secure since anyone would be able to append it to the filename regardless of the actual file type.
thanks.
Your current method is not secure either. Content-Type header is supplied by the browser and can be easily spoofed. Mozilla just sends another type, mine is set to send application/zip for .zip files.
The best bet is to use mime_content_type() function that checks the first few bytes. Still this does not help with malformed files, that can possibly exploit known vulnerabilities in archiving applications.
If you put the files in publicly accessible location, be sure to check the file extension too.
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
