Re: security of uploaded gif files

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



James Benson wrote:
Even if you can embed PHP in a GIF it would still need to be executed by PHP as PHP code, would PHP actually execute that file when it looks like an image, I would think PHP would output an error?


More importantly though, you should be checking the file extension of uploaded files to make sure it is only a .gif



James



jonathan wrote:

what is the best way to prevent malicious code from being uploaded via a .gif file? A friend showed me how php could be embedded within the .gif file. Does this problem also exist for .jpeg's?

thanks,

jon


It is possible for example to use php for showing images like
fopen and print a random image file.
so opening the .php file will show you a random image.

But if the server isnt set to parse other files than PHP you wont be able to execute code.

But when server is set so, yes its possible.

Thats why checking the file for php alike contents could be useful.

I thought there was something like a de-evaluate PHP function that rips off every php code of a textfile/sended text by form or else.
That could be useful too.

Greets
	Barry

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux