Re: Re: how to detect type of image

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sorry I'm late to this thread, I don't know if it has been mentioned, but most files have a 'magic number' at the begining of the file, which usually reads as a couple of letters or more. I think EXE files start with MZ, gifs with GIFxx where xx is the last two digits of the year of the standard. Just open files of the types you are concerned about and check the first few characters.

Satyam

----- Original Message ----- From: "Richard Lynch" <ceo@xxxxxxxxx>
To: "Jonathan" <haptiK@xxxxxxxxx>
Cc: <php-general@xxxxxxxxxxxxx>
Sent: Wednesday, April 25, 2007 4:30 AM
Subject: Re:  Re: how to detect type of image


On Sun, April 22, 2007 10:35 am, Jonathan wrote:
Alain Roger wrote:
Hi,

In my web application, end user is able to load images (png, jpeg,
gif,..)
into database.
I would like to know how can i detect automatically the type of
image (pnd,
jpeg,...) ?
i do not want to check the extension because this is easily faked...
just by
renaming it.

Does it exist a technique for that ?

thanks a lot,


Is there anything wrong with just using
$_FILES['upload_name']['type']?

Yes.

The first thing wrong, is that the idiot browser-makers can't even
agree on what to cram into that when a user uploads a simple JPEG,
much less some more esoteric document.  So, right there, what you have
in there under "normal" circumstances is pretty much garbage.

The second thing wrong is that the Bad Guys can cram any dang thing
they want in there, regardless of what they are uploading.  So they
can upload a nice .exe binary file and cram "image/jpeg" into the
type.  If your script is equally insecure throughout, then you could
easily end up having an executable file up on your server that the Bad
Guy wrote, and all they have to do is surf to it for it to run.  That
would be bad, just in case it's not terribly obvious. :-)

Other than that, though, it's fine and dandy to use it... :-)

--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.463 / Virus Database: 269.6.0/775 - Release Date: 24/04/2007 17:43



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux