NYCPHP Meetup

NYPHP.org

[nycphp-talk] uploaded files

tedd tedd at sperling.com
Wed Jul 26 13:21:19 EDT 2006


At 12:23 PM -0400 7/26/06, Rahmin Pavlovic wrote:
>On 7/26/06 11:37 AM, "Daniela Gutierrez" <daniela at ula.ve> wrote:
>
>>  Hi everybody!
>>
>>  I would like to know how to verify that the files they had been uploaded
>>  by some user are j peg, because I only want them to upload images and I
>  > also want to be sure that they are not uploading some kind of malicious
>  > files.
>
>if (stristr($_FILES['file_field']['name'],'.jpg')=='' &&
>     stristr($_FILES['file_field']['name'],'.jpeg')=='') {
>     // not okay
>}
>else {
>     // okay
>}
>
>That just checks for the existence of the file-extension in the filename
>(which you can tighten up), but I'm guessing you can do something similar to
>the following if you have a recent version of GD installed:
>
>if(!imagecreatefromjpeg($_FILES['file_field']['tmp_name'])) {
>     // file doesn't appear to be a valid jpeg
>}

In addition to that, you might resample the image to a different 
size, or convert to another format, or cut, or crop, or merge with 
another image (i.e., copyright). If it is malicious code, then that 
should cause the offending code some problems -- however -- I've 
never encountered any malicious code, it's just an idea.

Furthermore, if you get the image size via:

$imageArray = getimagesize("the.jpg");

and dump the array.

print_r($imageArray);

You will see several data that you could test for.

I'm entertaining the same problem.

hth's

tedd
-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com



More information about the talk mailing list