Or put it in a directory with no PHP or CGI. On 1/22/06, jonathan <news_php@xxxxxxxxxxxx> wrote: > this is a little my fault. the example my friend showed me was a > retracing of the example he saw in Pro PHP Security (p284). > Basically, the short of the example is that a valid gif image could > be uploaded with the extension .php and pass a getimagesize because > it would have the necessary bytestream to think that it is a gif but > that arbitrary php code could be appended at the end. To get around > this, you just need to check for a valid file extension (.gif etc...) > and mimetype. > > -jonathan > > > On Jan 22, 2006, at 2:58 AM, Rory Browne wrote: > > > I'd be a bit skeptical about the possibly of embedding PHP code inside > > a GIF file. Could you outline how he performed the task? > > > > On 1/22/06, jonathan <news_php@xxxxxxxxxxxx> wrote: > >> what is the best way to prevent malicious code from being uploaded > >> via a .gif file? A friend showed me how php could be embedded within > >> the .gif file. Does this problem also exist for .jpeg's? > >> > >> thanks, > >> > >> jon > >> > >> -- > >> PHP General Mailing List (http://www.php.net/) > >> To unsubscribe, visit: http://www.php.net/unsub.php > >> > >> > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
