Smudly Posted October 11, 2010 Share Posted October 11, 2010 My uploader allows the following file formats: jpg pdf gif png I tested that if someone was to name a file configure.php.jpg, my uploader allows it to upload I want to do a check to see if the user has 2 extensions, and if so it will not allow them to upload. I was thinking of just checking if the file name has two "." (dots) in the name. What function could I use to do this? Or .. is there a better way? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted October 11, 2010 Share Posted October 11, 2010 It would probably be easier to explode the filename on the '.' and then check how many parts there are. This will also allow you to get just the last part/extension by itself for further testing. Quote Link to comment Share on other sites More sharing options...
Oziam Posted October 11, 2010 Share Posted October 11, 2010 Or you could make sure the filetype is an actual image or pdf file! $file = $_FILES["file"]["type"]; if(($file == "image/gif") || ($file == "image/jpeg") || ($file == "image/pjpeg") || ($file == "image/x-png") || ($file == "application/pdf") || ($file == "application/x-pdf")){ // do upload } else{ // display error } you could also use a switch statement if you prefer. Quote Link to comment Share on other sites More sharing options...
Smudly Posted October 11, 2010 Author Share Posted October 11, 2010 Thanks for the tip. I forgot to mention the uploader also allows .doc or .docx files When echoing the type of file this is, it displays: application/vnd.openxmlformats-officedocument.wordprocessingml.document Does this sound right? If so, I'll just include this as well in the code you provided: ($type == "application/vnd.openxmlformats-officedocument.wordprocessingml.document") Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted October 11, 2010 Share Posted October 11, 2010 It's fairly easy to craft a file that when checked returns a 'safe' and expected mime type but actually contains php code and if it is ever executed as a script file allows a hacker to take over your site. The best solutions are to both check everything you can about an uploaded file and to also put it into a location where it cannot be directly requested and/or where the php language engine has been disabled, and of course, never allow an uploaded file to be included or eval'ed by your code. Quote Link to comment Share on other sites More sharing options...
Oziam Posted October 12, 2010 Share Posted October 12, 2010 Yes this is a very good point, I have an upload script for images which users can upload their image files, the problem is that the dir is CHMOD777 to get it to work other wise the file is rejected and php throws an error. This is because my hosts server has it set to SAFE MODE ON. This is a major security problem so I disable the php engine in a .htaccess file just for this directory. I know this is still not a fail safe method. If you have any other ideas which might help please share them! Thanks!!! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.