On Wed, January 3, 2007 2:52 pm, Philip Thompson wrote: > I have a form where a user can upload different types of documents. A > valid file type they will be able to upload is a Word Document. > However, when I view the $_FILES 'type' of a word document in Internet > Explorer, it says it's type 'application/octet-stream' instead of > 'application/msword' or 'application/vnd.ms-word'. It works fine in > Firefox and Safari. > > Any ideas why IE does this and/or how I might be able to get around > this? IE does this because MS is not interested in interoperability. Note that application/octet-stream is valid for any kind of document whatsoever for an upload. For output, that would require the browser to download the document rather than attempt to display it. More on that here: http://richardlynch.blogspot.com/ > I know of 1 or 2 options for sort of bypassing this, but I'd > like to hear from the group to see if there's a better, > security-conscious idea. The security-conscious idea is to IGNORE the 'type' in $_FILES, because anybody could cram anything they want in to that, and send you any kind of virus-laden warez document. :-) Use Mime Magic or exec("file /path/to/upload", $output, $error) to find out what kind of document they REALLY uploaded, regardless of what they CLAIM it is in $_FILE['type'] -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
