Re: [PHP] Is this really a pdf?
Thanxs very much guys! I do realize that it is not foolproof, but better than nothing. In my situation mime_content_type doesn't work, so I will have to settle for the other method. Sjef -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Is this really a pdf?
If your server has the appropriate programs installed, there ARE some command line utilities that can take a PDF and convert it to another form; You can execute them with an exec call. Theoretically, if the PDF is corrupt they will print out some kind of error which you can capture. It could also take up a ton of processing power if you do a lot of this, so be careful on the implementation. (o: I don't know if this is an option for you or not, but it is something that was done at my last company to verify that uploaded PDFs were at least readable by -something-. For Linux there is pdf2ps, and iirc there is some other program out there that just pulls out the text. HTH, -K.Bear -Original Message- From: Sjef [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 08, 2006 6:09 AM To: php-general@lists.php.net Subject: Re: [PHP] Is this really a pdf? Thanxs very much guys! I do realize that it is not foolproof, but better than nothing. In my situation mime_content_type doesn't work, so I will have to settle for the other method. Sjef -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Is this really a pdf?
On Mon, 7 Aug 2006, Sjef wrote:
Is it possible to recognize if a file for upload really is a pdf (like the
function getimagesize retuns the file type of the image)?
Thanxs,
Sjef
Yes it is.
$_FILES['{form_field_name}']['type'] is your friend here. Just match it
against a mime type your looking for.
Ed Curtis
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Is this really a pdf?
On Mon, August 7, 2006 9:08 am, Sjef wrote: Is it possible to recognize if a file for upload really is a pdf (like the function getimagesize retuns the file type of the image)? It should be noted that getimagesize is also not fool-proof for the same reasons as the PDF first-4 bytes == '%PDF' is not secure getimagesize only looks at the first N bytes to figure out width/height/etc. It's a bit more complex than the PDF version, as it has to choose the right bytes for the given image type, but it's not an exhaustive check that the file *IS* a valid image file. That said, this can be one more simple/easy barrier in place in a series of security checks, both for Images and PDFs. The only way to be 99.9% certain an image is a valid image is to have a human eyeball look at it -- leaving the remainder of a percentage for art images too weird to be distinguished from noise. It's also theoretically possible that some single specific image out there could look fine, but by sheer coincidence that specific sequency of bytes could ALSO be a malicious program. That's kind of pointless in the general sense, except as an indicator that you will never get 100% certainty, so it's probably best to do several fast easy checks that rely on un-related data so that you have a series of barriers rather than a single point of failure in your security. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Is this really a pdf?
On Mon, August 7, 2006 10:04 am, Ed Curtis wrote:
On Mon, 7 Aug 2006, Sjef wrote:
Is it possible to recognize if a file for upload really is a pdf
(like the
function getimagesize retuns the file type of the image)?
Thanxs,
Sjef
Yes it is.
$_FILES['{form_field_name}']['type'] is your friend here. Just match
it
against a mime type your looking for.
$_FILE[*]['type'] is pretty useless all around...
It's useless as a Security method because a Bad Guy can send anything
they want for that.
It's useless in the general sense because IE and Mozilla-esque
browsers send *different* MIME types for the same file.
There is no standard they are following for what is the MIME type of a
JPEG, PNG, etc. So you'd have to predict every possible MIME type
that a browser *might* send for any given file type, and there's no
predicting IE, for starters.
It would be nice if the browsers provided standardized info, as this
would be one more hurdle to put in the way of errors, but as it stands
now, I'd avoid bothering with it. Too much hassle for too little
payoff.
--
Like Music?
http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
