On Tue, 2005-03-29 at 22:23, Richard Lynch wrote: > > //The mime type of the file, if the browser provided this information. > > $userfile_type=$_FILES['userfile']['type']; > > Nooooooooooooooo! Hmm - some very senior people disagree with you! > First of all, the browsers do *NOT* provide any kind of standardized MIME > types. > > One will call it text/x-csv, the other text/csv, the other text/plain, ... Interesting. > Now you're probably not gonna be silly enough to just go and exec() that > script, No - of course not - you never trust anything coming from outside - the above script is a first pass, no more than that. > but what if they manage to find *another* user on your server who > does just that? I don't understand what you mean here - I can't control what scripts other people write and I can't afford a dedicated server. > Assume the file you are getting is hostile. Absolutely. > Use the Unix "file" command to analyze it. I come from a Windows background so I've never heard of this command and it's not featured in any of the (many) PHP books I have read. Probably becasue it's platform specific. > Then use your own script to analyze it, and be sure it contains suitable > data. Absolutely. Alan -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
