Thanks Miguel,

Actually, I figured out how to do it: a combination of  checking:
if ( $_REQUEST['pix']['type'] == "image/jpeg")}  blah, blah, blah

and then using 'fread' on the actual file itself, applying my 'eregi' 
verification code. It works! 

The problem before was that I was attempting to read the array, rather than 
the actuial file. Thanks for the link.

Btw, I still confused about how to organize my /var/www/html directory so 
that I can still access it for code, but others will not be able to say 
access /var/www/html/tmp_for_checking_files_like_jpegs. I've made a temporary 
change (for protyping) to php.ini using /var/www/html as the upload_temp_dir, 
but I don't know how or where it should go in production. Any suggestions?

Tia, Andre 

On Wednesday 15 May 2002 02:36 pm, you wrote:
> On Tue, 14 May 2002, Andre Dubuc wrote:
> > My question will probably expose my woeful lack understanding of security
> > breaches, but perhaps someone can enlighten me.
> >
> > On my site, registered members will be allowed to upload jpg/jpeg
> > pictures. I'm concerned about possible security problems. First, is there
> > a way to ensure that a picture (and not some other malicious stuff) has
> > been uploaded?
> >
> > Aside from checking the mime type info associated with the file, is there
> > any way of verifying what's in the file that has been uploaded? (I'm
> > using Linux LM8.2) Would it be possible to fake info to fool this check?
> > Would verification checks for html/scripts/commands be of any use?
> You can pass the path to the unix command 'file' which looks at the file's
> prologue to attempt to figure out what it is. This is usually a pretty
> good way to weed out trouble.
> miguel

Please pray the Holy Rosary to end the holocaust of abortion.
Remember in your prayers the Holy Souls in Purgatory.

May God bless you abundantly in His love!
For a free Cenacle Scriptural Rosary Booklet:

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to