On Mon, Sep 6, 2010 at 1:45 PM, chris h <chris404@xxxxxxxxx> wrote: > Per PHPdocs on $_FILES['userfile']['type']... > > "The mime type of the file, if the browser provided this information. An > example would be "image/gif". This mime type is however not checked on the > PHP side and therefore don't take its value for granted." > > > Personally I like to use the file right off-the-bat to ensure it's safe. > So if it's an image do some kind of image manipulation function on it, if > it's zip then use some zip functions on it (i.e. if you can read data from a > zip file using a zip function then it's probably a real zip file). It can > be slow, but handling user uploaded files is so dangerous that I think it's > typically the way to go. > > > Chris. >
