On Mon, August 7, 2006 9:08 am, Sjef wrote: > Is it possible to recognize if a file for upload really is a pdf (like > the > function getimagesize retuns the file type of the image)? It should be noted that getimagesize is also not fool-proof for the same reasons as the PDF first-4 bytes == '%PDF' is not "secure" getimagesize only looks at the first N bytes to figure out width/height/etc. It's a bit more complex than the PDF version, as it has to choose the right bytes for the given image type, but it's not an exhaustive check that the file *IS* a valid image file. That said, this can be one more simple/easy barrier in place in a series of security checks, both for Images and PDFs. The only way to be 99.99999% certain an image is a valid image is to have a human eyeball look at it -- leaving the remainder of a percentage for "art" images too weird to be distinguished from noise. It's also theoretically possible that some single specific image "out there" could "look" fine, but by sheer coincidence that specific sequency of bytes could ALSO be a malicious program. That's kind of pointless in the general sense, except as an indicator that you will never get 100% certainty, so it's probably best to do several fast easy checks that rely on un-related data so that you have a series of barriers rather than a single point of failure in your security. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
