On 4/25/07, Satyam <[EMAIL PROTECTED]> wrote:
Sorry I'm late to this thread, I don't know if it has been mentioned, but
most files have a 'magic number' at the begining of the file, which usually
reads as a couple of letters or more. I think EXE files start with MZ, gifs
with GIFxx where xx is the last two digits of the year of the standard.
Just open files of the types you are concerned about and check the first few
characters.
Satyam
I believe that mime_content_type does this, by reading a .magic file.
In a magic file, there are these described i believe. But how would
you detect (by a magic number) if a script is HTML or PHP? No way :P
Of course, It's both not valid for an image file, but you might be
worried when the first magic bytes are faked. Does somebody care if
there are a few magic bytes displayed at the top of his page?
Tijnema
Ps. Please don't top post.
----- Original Message -----
From: "Richard Lynch" <[EMAIL PROTECTED]>
To: "Jonathan" <[EMAIL PROTECTED]>
Cc: <php-general@lists.php.net>
Sent: Wednesday, April 25, 2007 4:30 AM
Subject: Re: [PHP] Re: how to detect type of image
> On Sun, April 22, 2007 10:35 am, Jonathan wrote:
>> Alain Roger wrote:
>>> Hi,
>>>
>>> In my web application, end user is able to load images (png, jpeg,
>>> gif,..)
>>> into database.
>>> I would like to know how can i detect automatically the type of
>>> image (pnd,
>>> jpeg,...) ?
>>> i do not want to check the extension because this is easily faked...
>>> just by
>>> renaming it.
>>>
>>> Does it exist a technique for that ?
>>>
>>> thanks a lot,
>>>
>>
>> Is there anything wrong with just using
>> $_FILES['upload_name']['type']?
>
> Yes.
>
> The first thing wrong, is that the idiot browser-makers can't even
> agree on what to cram into that when a user uploads a simple JPEG,
> much less some more esoteric document. So, right there, what you have
> in there under "normal" circumstances is pretty much garbage.
>
> The second thing wrong is that the Bad Guys can cram any dang thing
> they want in there, regardless of what they are uploading. So they
> can upload a nice .exe binary file and cram "image/jpeg" into the
> type. If your script is equally insecure throughout, then you could
> easily end up having an executable file up on your server that the Bad
> Guy wrote, and all they have to do is surf to it for it to run. That
> would be bad, just in case it's not terribly obvious. :-)
>
> Other than that, though, it's fine and dandy to use it... :-)
>
> --
> Some people have a "gift" link here.
> Know what I want?
> I want you to buy a CD from some indie artist.
> http://cdbaby.com/browse/from/lynch
> Yeah, I get a buck. So?
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.463 / Virus Database: 269.6.0/775 - Release Date: 24/04/2007
> 17:43
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
