John Nichel wrote:
Jack Jackson wrote:
<snip>
Also, it seems that directories must be blown wide open (777) to allow
the script to copy the file over from /tmp. My ISP won't allow
directories to be set to 777 under public_html/ -- but we need to
access the files via web browser which is the whole point.
It shouldn't have to be this way. The webserver should be configured to
run as your virtual user, or belong to a group which has write
permission to that directory, or.....I'm getting a bit off track with
that. This is something you'll have to take up with your ISP.
So my questions:
1. How do you validate Word and Excel files before upload?
Before? JavaScript...if JavaScript can even do it (I haven't touched
the stuff in ages). After upload, you can check the mime type, but
that's not foolproof.
2. How can I make a passthrough from a file above public_html to one
below it so that people can surf in with a browser and download files
which have been uploaded by the script?
http://us4.php.net/move_uploaded_file
Indeed file types are not fool proof, for example windows provide
mime-type based on the file type in your system. Whatever browser the
user has, if you don't have for example acrobat reader installed, all
PDF files will be uploaded as application/octet-stream files.
So in no way should you ever validate a file based on its extension or
on its mime type since 93% of the machines out there use extension to
determine the mime type.
The only virtually failproof way to test for a certain file is using the
header of the file. For example, getimagesize uses the header of the
file to find what type of file it is. I wouln't recommend parsing the
file, imagine someone uploaded a imposing 10 or even 100 mb file. The
only way would be to read the first few characters and compare them with
standard headers in those particular files. This will be an almost
failproof way to see if an uploaded file is of the correct type.
The only 2 drawbacks to this method is:
- 1) Someone with malicious intentions CAN change the header of a file
to force it to look like another type of file. What is the end result i
dare not think about it. It could be used for any kind of hacking or
damaging effect.
- 2) With ever changing versions of WORD and EXCEL, you need to
implement a series of different headers for PC, MAC and even possibly
LINUX if there is a version of these with slightly different headers. So
i makes your code get heavier each year or so.
Mathieu Dumoulin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
