Rasmus Lerdorf <[EMAIL PROTECTED]> wrote: > Are you afraid of someone embedding PHP in a .jpg file? That's not really > an issue as your web server is probably configured to only serve up PHP as > .php files. Likewise, your web server config is likely such that any .jpg > file is served up as content-type image/jpeg and as such it really doesn't > matter what sort of junk is embedded in the image. At most it will show > up as a broken image icon in your browser.
right. the thing you may need to worry about, if you provide some sort of service that allows for anyone to upload a jpeg file that anyone else can then download, is people using programs that piggyback other data (mp3 files, rar archives, etc) on those images. one simple check you can do to minimize this is to compare the image dimensions to the file size -- if you've got a 120x120 image in a three meg jpeg file, something is probably awry. so with a combination of php's getimagesize() and filesize(), you can try to detect that sort of thing. (this is one of the problems that plague sites that provide free webspace. it's only a security issue insofar as this can constitute an effective denial-of-service 'attack' on your systems.) jim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
