On Wednesday 23 November 2005 03:15, twistednetadmin wrote:
> I use this line in a script for uploading pictures to a website:
>
> $_FILES['guildimage']['type'] == "image/jpeg"
>
[snip]
Please understand that the type is set by the browser and is never to be
trusted.
Especially with file uploads, extreme cautions apply.
If all you want to upload are images, then ONLY rely on the php builtin
getimagesize
Example
if($result=(@ getimagesize($_FILES['guildimage']['tmp_name'])) ===false)
die('Invalid picture');
list($width,$height,$type)=$result;
swith($type)
{case 1: #gif; break;
case 2: #jpeg; break;
case 3: #png; break;
case ... see php getimagesize documentation
}
And always use the move_uploaded_file function so you are sure you really are
moving an uploaded file and not one that is already on the server
Example
move_uploaded_file($_FILES['guildimage']['tmp_name'],$publicdir);
This function will fail if called with a file that was not uploaded.
HTH
Andy
--
Now listening to Top! Radio Live www.topradio.be/stream on amaroK
Geek code: www.vlaamse-kern.com/geek
Registered Linux User No 379093
If life was for sale, what would be its price?
www.vlaamse-kern.com/sas/ for free php utilities
--
Attachment:
pgpf5dBVnKGgD.pgp
Description: PGP signature
