Hi Marc, Thank you for this information. Does this mean that if someone tries to upload a php script, for example, but calls it image.jpg, getimagesize () will know it's not an image file? At the moment I'm just checking the extension but I don't think the way I'm doing it would catch the image.jpg (which is really image.php).
Jan -------Original Message------- From: Marc Boncz Date: 11/12/05 18:54:02 To: [email protected] Subject: RE: [php-list] Digest Number 1859 Hi Jan, > Once you move the file from the temporary location to a more > permanent one, use the getimagesize() function on the file. Use it for something else too: If you have a form where users can upload a file, you want them to upload only images. Not scripts for instance, that they just gave a name ending in ".jpg". Just to avoid them to deduce where the script (image) was stored and then call it to be executed. Getimagesize also gives the type of image, so you can decide what types of images to accept: $AcceptableImages = array(1,2,3,6); $ImageType = getimagesize($_FILES["name_of_file_input"]["tmp_name"]); if (in_array($ImageType), $AcceptableImages) { switch ($ImageType) case 1: $Ext = "gif"; break; case 2: $Ext = "jpg"; break; case 3: $Ext = "png"; break; case 6: $Ext = "bmp"; break; } $Filename = $ImagelibraryDir.$Value_derived_from_database_Primary_Key.$Ext; if (move_uploaded_file($_FILES["name_of_file_input"]["tmp_name"][$i], $Filename)) { // image stored where it should be // register image in database } else { // error message: image could not be stored where it should be } } Actually the (in_array()) condition is not necessary, in the switch block include a "default:" where default catches all other filetypes and tells the user who uploaded the file that only real jpg, gif, png and bmp images are allowed. Flash files can also be allowed (put a "case 4:" in the block) but require you to take that into account when outputting the page as object including code may need to be generated in the HTML page where the image is to be shown in. Also, Flash files may contain scripts, but that is not that much of a security issue as they run on the user machine and all material requested by a Flash file will be processed first by the webserver. Marc ------------------------ Yahoo! Groups Sponsor --------------------~--> Get Bzzzy! (real tools to help you find a job). Welcome to the Sweet Life. http://us.click.yahoo.com/A77XvD/vlQLAA/TtwFAA/HKFolB/TM --------------------------------------------------------------------~-> Community email addresses: Post message: [email protected] Subscribe: [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] List owner: [EMAIL PROTECTED] Shortcut URL to this page: http://groups.yahoo.com/group/php-list Yahoo! Groups Links [Non-text portions of this message have been removed] ------------------------ Yahoo! Groups Sponsor --------------------~--> Get Bzzzy! (real tools to help you find a job). Welcome to the Sweet Life. http://us.click.yahoo.com/A77XvD/vlQLAA/TtwFAA/HKFolB/TM --------------------------------------------------------------------~-> Community email addresses: Post message: [email protected] Subscribe: [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] List owner: [EMAIL PROTECTED] Shortcut URL to this page: http://groups.yahoo.com/group/php-list Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/php-list/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
