uploading files of limited type

Re: uploading files of limited type

william108@gmai l.com napisa³:
[color=blue]
> Hi, I have a site and I put an upload button their and the first file I
> received was an .exe file.[/color]

Well, obviously you can test the file extension and disallow the unwanted
files (like *.exe). Of course, this will not protect you from giving you
files with changed extensions (like an executalble disguised as jpeg
image), but:
1. On Windows such files will not be executable due to extension;
2. On Linux they won't be either, as they would have to have "execute"
permission.

Just my three pence
Mike

Re: uploading files of limited type

> Hi, I have a site and I put an upload button their and the first file I[color=blue]
> received was an .exe file.
> Is there some way to protect from that sort of thing? I read about
> using the Linux utility "file" to determine the file type but I don't
> know how to do that nor whether you can embedd that in a PHP script. If
> anyone has a good solution please let me know.
> Thank you![/color]

I use this script. The file comes from a form calles upload.htm.
This script allows only files with extensions .jpg/.jpeg and .gif to be
uploaded.

<?php
$uploaddir = '../upload/';
$uploadfile = $uploaddir . basename($_FILE S['userfile']['name']);
$root = '../upload/';

if ($filetype <> 'image/pjpeg' && $filetype <> 'image/gif') {
echo "Only jpeg & gif are allowed<br>";
} else {
move_uploaded_f ile($_FILES['userfile']['tmp_name'], $uploadfile);
echo "The file uploades succesfully";

}

?>

Martijn

Re: uploading files of limited type

> <?php
$filetype = $_FILES['userfile']['type'];[color=blue]
> $uploaddir = '../upload/';
> $uploadfile = $uploaddir . basename($_FILE S['userfile']['name']);
> $root = '../upload/';
>
> if ($filetype <> 'image/pjpeg' && $filetype <> 'image/gif') {
> echo "Only jpeg & gif are allowed<br>";
> } else {
> move_uploaded_f ile($_FILES['userfile']['tmp_name'], $uploadfile);
> echo "The file uploades succesfully";
>
> }
>
> ?>
>
> Martijn
>[/color]

Re: uploading files of limited type

RotterdamStuden ts <NOSPAMnewsNOSP AM@mapsoncistro n.nederland> wrote:[color=blue]
> I use this script. The file comes from a form calles upload.htm.
> This script allows only files with extensions .jpg/.jpeg and .gif to be
> uploaded.[/color]

It's the browser that tells the script which mimetype it just has
uploaded. And since some braindead browsers depend on extension for
local use one can still upload harmfull executables.
[color=blue]
> if ($filetype <> 'image/pjpeg' && $filetype <> 'image/gif') {
> echo "Only jpeg & gif are allowed<br>";
> } else {[/color]

Great, so I couldn't upload any nonprogressive jpeg files, since my
browser sets the mimetype correctly to image/jpeg for non progressive
jpegs.