On Sat, April 2, 2005 6:35 am, Marek Kilimajer said: > Angelo Zanetti wrote: >> hi Richard this sounds like quite a serious subject but is there no >> other way to check the validity of the file and type without using the >> unix command? >> >> IE using PHP and not depending on system commands? thanks for your >> insight so far, very important. > > The equivalent of `file` command is mime_content_type() php function (if > enabled). Other alternatives are to use fgetcsv() to check if the file > is a csv file, imagesize() to check for image files, and similar. > > But you can never be 100% sure the file is completely valid without > checking the whole file. For example mime_content_type() and imagesize() > check only first few bytes, but the rest of the file might be junk. Calling imagecreatefromXYZ on it would check that at least it SEEMS like a valid XYZ file for images -- Of course, I'm sure somebody can craft an image that will not return an error code for those functions and do something malicious under certain circumstances. It's also possible, though unlikely, that calling imagecreatefromXYZ (or even getimagesize) will trigger the malicious code in and of itself. Can you afford the time to call createimagefromXYZ? I dunno. Only you can evaluate the risk/benefit and time/resources trade-offs to decide what's "secure enough" Security is a gradient, not an on/off switch. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
