On 5/14/06, Nick Wilson <nick@xxxxxxxxxxxxxxxxxx> wrote:
Hi all, are there any security concerns with uploaded images? My thought is that it wouldnt be too hard to have some kind of script masquerade as a gif file, and perhaps cause damage. I cant find anyway to check a file really is a gif/png/jpg (i assume the mimetype available in $_FILES could be spoofed). I'd welcome any thoughts in general on this, but specifically if anyone has experience/knowledge in this area and can point me in the right direction.
Check the file extension and the mimetype, make sure they are both valid.. or as someone else suggested, use getimagesize on it - if that returns false or empty then it's not an image. -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
