On Sun, April 22, 2007 10:35 am, Jonathan wrote: > Alain Roger wrote: >> Hi, >> >> In my web application, end user is able to load images (png, jpeg, >> gif,..) >> into database. >> I would like to know how can i detect automatically the type of >> image (pnd, >> jpeg,...) ? >> i do not want to check the extension because this is easily faked... >> just by >> renaming it. >> >> Does it exist a technique for that ? >> >> thanks a lot, >> > > Is there anything wrong with just using > $_FILES['upload_name']['type']? Yes. The first thing wrong, is that the idiot browser-makers can't even agree on what to cram into that when a user uploads a simple JPEG, much less some more esoteric document. So, right there, what you have in there under "normal" circumstances is pretty much garbage. The second thing wrong is that the Bad Guys can cram any dang thing they want in there, regardless of what they are uploading. So they can upload a nice .exe binary file and cram "image/jpeg" into the type. If your script is equally insecure throughout, then you could easily end up having an executable file up on your server that the Bad Guy wrote, and all they have to do is surf to it for it to run. That would be bad, just in case it's not terribly obvious. :-) Other than that, though, it's fine and dandy to use it... :-) -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
