On Wed, April 25, 2007 2:51 am, Satyam wrote:
> Sorry I'm late to this thread, I don't know if it has been mentioned,
> but
> most files have a 'magic number' at the begining of the file, which
> usually
> reads as a couple of letters or more. I think EXE files start with
> MZ, gifs
> with GIFxx where xx is the last two digits of the year of the
> standard.
> Just open files of the types you are concerned about and check the
> first few
> characters.
That's pretty much how the MIME magic PHP function works, as well as
exec("file $foo", $output, $error)
So I certainly would not attempt to re-invent the wheel on this one.
Even PHP's getimagesize or whatever it is uses the same idea, so that
would be better.
Note that a really savvy hacker might still find a way to upload
something with the right headers to fool your script, but with
embedded "data" that is going to give you trouble...
But they'll sure have to work hard at it, and they'll be a lot more
rare than if you don't do this simple basic check.
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
