hi there , i was wondering on security of file uploads , i am currently
using the pear uploader class , i can check for allowed file extensions ,
but it doesnt seem to check for file type , i can currently rename say an
image to zip and it uploads , is there anyway a hacker could rename an
executable to a zip and able to upload it and execute it ?
I can't address your specific question but here are a couple of recommendations:
-Rename the uploaded file so that the user won't know what it's called on the server.
-Store the file outside of the Web directory so it's not accessible via HTTP.
Hope that helps, Larry
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
