PHP bug?!!

**Michael Fesser** · Mar 20 '08, 12:15 AM

Re: PHP bug?!!

..oO(amit)

>I have following code for uploading a file in PHP:
>
>$target = "/var/www/html/sa/usr_bg_imgs/";
>$target = $target . basename( $_FILES['uploaded']['name']) ;
>$ext = $_FILES['uploaded']['type'];
>
>However, $_FILES['uploaded']['type'] will not work for JPG files since
>it returns nothing!
>
>It works fine for other files. For example for gif files I do get:
>image/gif as MIME and text/plain for text files but when I try
>test.jpg it doesn't recognize the MIME type.
>
>This is an issue since checking the physical file extension is not a
>right way in terms of security. What should I do?

Check the file content, that's the only (almost) reliable way. If it's
just for images, use getimagesize(). For other file types it can get
more difficult. The PECL extension Fileinfo might be helpful.

http://pecl.php.net/package/fileinfo

>Is this a PHP bug?!

No. Informations like file extension and content type are sent by the
browser, hence completely unreliable. They don't have to be there at
all, so you have to check the file content.

Micha

**amit** · Mar 20 '08, 12:15 AM

Re: PHP bug?!!

On Mar 19, 5:05 pm, Michael Fesser <neti...@gmx.de wrote:

.oO(amit)
>

I have following code for uploading a file in PHP:

>

$target = "/var/www/html/sa/usr_bg_imgs/";
$target = $target . basename( $_FILES['uploaded']['name']) ;
$ext = $_FILES['uploaded']['type'];

>

However, $_FILES['uploaded']['type'] will not work for JPG files since
it returns nothing!

>

It works fine for other files. For example for gif files I do get:
image/gif as MIME and text/plain for text files but when I try
test.jpg it doesn't recognize the MIME type.

>

This is an issue since checking the physical file extension is not a
right way in terms of security. What should I do?

>
Check the file content, that's the only (almost) reliable way. If it's
just for images, use getimagesize(). For other file types it can get
more difficult. The PECL extension Fileinfo might be helpful.
>

http://pecl.php.net/package/fileinfo

>

Is this a PHP bug?!

>
No. Informations like file extension and content type are sent by the
browser, hence completely unreliable. They don't have to be there at
all, so you have to check the file content.
>
Micha

Hi Micha,

Thank you so much. yes, I'm using it for uploading image files so you
are saying using getimagesize() is a good way to recognize its
validation. Right?

Regards.

**amit** · Mar 20 '08, 12:25 AM

Re: PHP bug?!!

On Mar 19, 5:05 pm, Michael Fesser <neti...@gmx.de wrote:

.oO(amit)
>

I have following code for uploading a file in PHP:

>

$target = "/var/www/html/sa/usr_bg_imgs/";
$target = $target . basename( $_FILES['uploaded']['name']) ;
$ext = $_FILES['uploaded']['type'];

>

However, $_FILES['uploaded']['type'] will not work for JPG files since
it returns nothing!

>

It works fine for other files. For example for gif files I do get:
image/gif as MIME and text/plain for text files but when I try
test.jpg it doesn't recognize the MIME type.

>

This is an issue since checking the physical file extension is not a
right way in terms of security. What should I do?

>
Check the file content, that's the only (almost) reliable way. If it's
just for images, use getimagesize(). For other file types it can get
more difficult. The PECL extension Fileinfo might be helpful.
>

http://pecl.php.net/package/fileinfo

>

Is this a PHP bug?!

>
No. Informations like file extension and content type are sent by the
browser, hence completely unreliable. They don't have to be there at
all, so you have to check the file content.
>
Micha

One thing is that I tried it as

$size = getimagesize($t arget);
print_r($size);

However, it doesn't show the output sometimes and I see a blank page
only. Any comments?

Thanks.

**Michael Fesser** · Mar 20 '08, 12:25 AM

Re: PHP bug?!!

..oO(amit)

>Thank you so much. yes, I'm using it for uploading image files so you
>are saying using getimagesize() is a good way to recognize its
>validation. Right?

Yep. This function returns informations about the image if it is an
image actually. See the manual for details and supported image types.

Micha

**Michael Fesser** · Mar 20 '08, 12:35 AM

Re: PHP bug?!!

..oO(amit)

>One thing is that I tried it as
>
> $size = getimagesize($t arget);
> print_r($size);
>
>
>However, it doesn't show the output sometimes and I see a blank page
>only. Any comments?

Maybe $target wasn't image data recognized by getimagesize()? It only
supports a handful of formats.

Micha

**amit** · Mar 20 '08, 12:35 AM

Re: PHP bug?!!

On Mar 19, 5:26 pm, Michael Fesser <neti...@gmx.de wrote:

.oO(amit)
>

One thing is that I tried it as

>

$size = getimagesize($t arget);
print_r($size);

>

However, it doesn't show the output sometimes and I see a blank page
only. Any comments?

>
Maybe $target wasn't image data recognized by getimagesize()? It only
supports a handful of formats.
>
Micha

No, it is a JPG file and I can open it using Paint. I can also check
the width=200 and height=200 using Paitn/Photoshop!

**amit** · Mar 20 '08, 01:05 AM

Re: PHP bug?!!

On Mar 19, 5:26 pm, Michael Fesser <neti...@gmx.de wrote:

.oO(amit)
>

One thing is that I tried it as

>

$size = getimagesize($t arget);
print_r($size);

>

However, it doesn't show the output sometimes and I see a blank page
only. Any comments?

>
Maybe $target wasn't image data recognized by getimagesize()? It only
supports a handful of formats.
>
Micha

This is so strange:

I upload the file without any restriciton (for now) then I haveL

$size = getimagesize($t arget);
print_r($size);

However, it shows nothing. It is a JPG file and as far as I know it is
supported.

Thanks.

**amit** · Mar 20 '08, 01:05 AM

Re: PHP bug?!!

On Mar 19, 5:26 pm, Michael Fesser <neti...@gmx.de wrote:

.oO(amit)
>

One thing is that I tried it as

>

$size = getimagesize($t arget);
print_r($size);

>

However, it doesn't show the output sometimes and I see a blank page
only. Any comments?

>
Maybe $target wasn't image data recognized by getimagesize()? It only
supports a handful of formats.
>
Micha

Micha,

Please ignore my last comment I checked the log file and found an
issue. Thank you so much. now works fine.

Regards.

PHP bug?!!

PHP bug?!!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment