Have a look at the getimagesize() function.  This function looks at the
actual file data, not the mime type nor the file's extension but the data
itself and tells you what sort of image file it is.

And no, it wouldn't really be after the fact because because stores the
file with a temporary random filename in /tmp ensuring not to overwrite
anything that is already there.  It is then your job to perform the check
and copy the file to some appropriate directory on your server.  If you
don't do anything with the file, PHP will automatically delete it at the
end of the request.


On Tue, 14 May 2002, Andre Dubuc wrote:

> My question will probably expose my woeful lack understanding of security
> breaches, but perhaps someone can enlighten me.
> On my site, registered members will be allowed to upload jpg/jpeg
> pictures. I'm concerned about possible security problems. First, is there a
> way to ensure that a picture (and not some other malicious stuff) has been
> uploaded?
> Aside from checking the mime type info associated with the file, is there any
> way of verifying what's in the file that has been uploaded? (I'm using Linux
> LM8.2) Would it be possible to fake info to fool this check? Would
> verification checks for html/scripts/commands be of any use?
> Secondly, since the file in question is already uploaded and saved to disk in
> /tmp or wherever, wouldn't any verification scheme be sort of,
> 'after-the-fact'?
> I would appreciate any input, suggestions, or ideas on what to do here. Am I
> being overly-paranoid about this, or do I have  legitimate security concern.
> Using: Apache 1.3.23 + PHP 4.1.2 + PostgreSQL 7.2
> Tia,
> Andre
>  --
> Please pray the Holy Rosary to end the holocaust of abortion.
> Remember in your prayers the Holy Souls in Purgatory.
> May God bless you abundantly in His love!
> For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to