Rasmus Lerdorf <[EMAIL PROTECTED]> wrote:
> Are you afraid of someone embedding PHP in a .jpg file?  That's not really
> an issue as your web server is probably configured to only serve up PHP as
> .php files.  Likewise, your web server config is likely such that any .jpg
> file is served up as content-type image/jpeg and as such it really doesn't
> matter what sort of junk is embedded in the image.  At most it will show
> up as a broken image icon in your browser.


the thing you may need to worry about, if you provide some sort of
service that allows for anyone to upload a jpeg file that anyone else
can then download, is people using programs that piggyback other data
(mp3 files, rar archives, etc) on those images.

one simple check you can do to minimize this is to compare the image
dimensions to the file size -- if you've got a 120x120 image in a three
meg jpeg file, something is probably awry. so with a combination of
php's getimagesize() and filesize(), you can try to detect that sort of

(this is one of the problems that plague sites that provide free
webspace. it's only a security issue insofar as this can constitute an
effective denial-of-service 'attack' on your systems.)


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to