On Tue, 14 May 2002, Andre Dubuc wrote: > My question will probably expose my woeful lack understanding of security > breaches, but perhaps someone can enlighten me. > > On my site, registered members will be allowed to upload jpg/jpeg > pictures. I'm concerned about possible security problems. First, is there a > way to ensure that a picture (and not some other malicious stuff) has been > uploaded? > > Aside from checking the mime type info associated with the file, is there any > way of verifying what's in the file that has been uploaded? (I'm using Linux > LM8.2) Would it be possible to fake info to fool this check? Would > verification checks for html/scripts/commands be of any use?
You can pass the path to the unix command 'file' which looks at the file's prologue to attempt to figure out what it is. This is usually a pretty good way to weed out trouble. http://www.doc.ic.ac.uk/lab/labman/lookup-man.cgi?file miguel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
