On 29/07/10 19:10, tedd wrote:
At 9:50 AM -0700 7/29/10, Don Wieland wrote:
I am trying to create an UPLOAD form and need to figure a way to only
allow PDF files to be selected.

The short answer is you can't -- not from php. You can create a standard
form and upload it from there, but you don't have control over file type.

So you can't stop people from uploading anything to your site via the
form, but you can look at the document once it's there and inspect it.
Using a HEX Editor, I see that most pdf file have the first four bytes
as "%PDF" so you might check that before moving the file to somewhere
important. But that doesn't stop spoofing.

Other than that, I can't see any way to do it.



Second what tedd says, with a bit more: on a Linux backend system I run uploaded files through the 'file' command with a decent magic file to detect the file type. I also run every upload through a virus scanner (clamscan, for example) before I accept it. If your PHP backend is windows then you might need to do some research to find a good file-type detection routine, although the virus scanning should be possible.

You certainly cannot trust the client side to do any checking. In any case, JavaScript doesn't (shouldn't) have access to the file you are trying to upload, so there's not much you can do there. You might achieve something client-side with Flash, or a Java uploader applet, I suppose.


Peter Ford, Developer                 phone: 01580 893333 fax: 01580 893399
Justcroft International Ltd.                              www.justcroft.com
Justcroft House, High Street, Staplehurst, Kent   TN12 0AH   United Kingdom
Registered in England and Wales: 2297906
Registered office: Stag Gates House, 63/64 The Avenue, Southampton SO17 1XS

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to