On 8/7/06, Colin Guthrie <gmane@xxxxxxxxxxxxxx> wrote:
Sjef wrote:
> Is it possible to recognize if a file for upload really is a pdf (like
the
> function getimagesize retuns the file type of the image)?
If you have a suitible mime.magic file, and your PHP has the
functionality built into it, you could try the mime_content_type()
function.
http://uk.php.net/manual/en/function.mime-content-type.php
Is this to protect against somebody trying to pass an mp3 off as a PDF, or
to stop people mistakenly uploading PDF's. If it's the latter, then mime
functions are probably okay. If the former, then you may want something a
little more through.
Or if not available, read the first few bytes of the file and verify
that it begins with:
%PDF-1.3
(or other versions - perhaps just verify the first 4 chars.
You can do this with a simple
$fp = fopen($filename, 'rb'));
if ('%PDF' == fread($fp, 4))
// PDF
else
// Not PDF
This is very simple.
And very insecure. All it takes is a cat and echo to disguise a file as a
PDF, and a quick 'dd skip' to Undisguise it.
You could also use the "file" commandline utility if the server is a
*nix machine and parse it's output.
e.g. on my machine:
[colin@jimmy www]$ file ~/Desktop/svn-book.pdf
/home/colin/Desktop/svn-book.pdf: PDF document, version 1.3
or easier:
[colin@jimmy www]$ file -i ~/Desktop/svn-book.pdf
/home/colin/Desktop/svn-book.pdf: application/pdf
Col.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
