> > Thank you for this information. Does this mean that if > > someone tries to upload a php script, for example, but > > calls it image.jpg, getimagesize () will know it's not > > an image file? > > At the moment I'm just checking the extension
A file can have any name or extension. However, your webserver is configured to look at the filename extension and execute files with the .php extension in the PHP webserver module. Hence a PHP file named file.jpg will not be executed as PHP. If it were placed in a web directory and called up with a web URL, more than likely the source code of the script would be revealed. It is important that uploaded files be auded to ensure that they are the type expected. Also, it is unwise to place files in a web directory where they can be accessed through a URL from a web browser. Instead, the uploaded files can be placed in a directory outside the web space and use a handler script to get the file since PHP scripts can access the entire filesystem if the permissions are set accordingly. The getimagesize() function will attempt to determine the image type of the file and it can also supply a MIME type for the file (ie image/jpeg). What I normally do is look at the MIME type from the uploaded file in the $_FILES array and compare it with the MIME type revealed by getimagesize(). If it does not match, perhaps something suspicious is going on. James _____ James D. Keeline http://www.Keeline.com http://www.Keeline.com/articles http://Stratemeyer.org http://www.Keeline.com/TSCollection http://www.ITeachPHP.com -- Free Computer Classes: Linux, PHP, etc. Fall Semester Begins Sep 7 -- New Classes Start Every Few Weeks. ------------------------ Yahoo! Groups Sponsor --------------------~--> Get Bzzzy! (real tools to help you find a job). Welcome to the Sweet Life. http://us.click.yahoo.com/A77XvD/vlQLAA/TtwFAA/HKFolB/TM --------------------------------------------------------------------~-> Community email addresses: Post message: [email protected] Subscribe: [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] List owner: [EMAIL PROTECTED] Shortcut URL to this page: http://groups.yahoo.com/group/php-list Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/php-list/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/
