hi Richard, Best Wishes for the new year btw! Richard Lynch wrote: > On Wed, January 3, 2007 2:52 pm, Philip Thompson wrote: >> I have a form where a user can upload different types of documents. A >> valid file type they will be able to upload is a Word Document. >> However, when I view the $_FILES 'type' of a word document in Internet >> Explorer, it says it's type 'application/octet-stream' instead of >> 'application/msword' or 'application/vnd.ms-word'. It works fine in >> Firefox and Safari. >> >> Any ideas why IE does this and/or how I might be able to get around >> this? > > IE does this because MS is not interested in interoperability. > > Note that application/octet-stream is valid for any kind of document > whatsoever for an upload. For output, that would require the browser > to download the document rather than attempt to display it. More on > that here: > http://richardlynch.blogspot.com/ > >> I know of 1 or 2 options for sort of bypassing this, but I'd >> like to hear from the group to see if there's a better, >> security-conscious idea. > > The security-conscious idea is to IGNORE the 'type' in $_FILES, > because anybody could cram anything they want in to that, and send you > any kind of virus-laden warez document. :-) > > Use Mime Magic or exec("file /path/to/upload", $output, $error) to > find out what kind of document they REALLY uploaded, regardless of > what they CLAIM it is in $_FILE['type'] I guess this is not the time to bring up the discussion on including the fileinfo PECL extension into the core as standard thats being waged on the internals mailing list (or that mime magic seems to have been magically relegated to the dustbin)? :-) > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
