James Benson wrote:
Even if you can embed PHP in a GIF it would still need to be executed by
PHP as PHP code, would PHP actually execute that file when it looks like
an image, I would think PHP would output an error?
More importantly though, you should be checking the file extension of
uploaded files to make sure it is only a .gif
James
jonathan wrote:
what is the best way to prevent malicious code from being uploaded via
a .gif file? A friend showed me how php could be embedded within the
.gif file. Does this problem also exist for .jpeg's?
thanks,
jon
It is possible for example to use php for showing images like
fopen and print a random image file.
so opening the .php file will show you a random image.
But if the server isnt set to parse other files than PHP you wont be
able to execute code.
But when server is set so, yes its possible.
Thats why checking the file for php alike contents could be useful.
I thought there was something like a de-evaluate PHP function that rips
off every php code of a textfile/sended text by form or else.
That could be useful too.
Greets
Barry
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
