Re: [PHP] Trapping for PDF Type and file size in a UPLOAD form...
** Hans Åhlin Tel: +46761488019 icq: 275232967 http://www.kronan-net.com/ irc://irc.freenode.net:6667 - TheCoin ** 2010/7/30 Pete Ford > On 29/07/10 19:10, tedd wrote: > >> At 9:50 AM -0700 7/29/10, Don Wieland wrote: >> >>> I am trying to create an UPLOAD form and need to figure a way to only >>> allow PDF files to be selected. >>> >> >> The short answer is you can't -- not from php. You can create a standard >> form and upload it from there, but you don't have control over file type. >> >> So you can't stop people from uploading anything to your site via the >> form, but you can look at the document once it's there and inspect it. >> Using a HEX Editor, I see that most pdf file have the first four bytes >> as "%PDF" so you might check that before moving the file to somewhere >> important. But that doesn't stop spoofing. >> >> The pdf files also ends with "startxref [some numbers] %%EOF" > Other than that, I can't see any way to do it. >> >> Cheers, >> >> tedd >> > > Second what tedd says, with a bit more: on a Linux backend system I run > uploaded files through the 'file' command with a decent magic file to detect > the file type. I also run every upload through a virus scanner (clamscan, > for example) before I accept it. > If your PHP backend is windows then you might need to do some research to > find a good file-type detection routine, although the virus scanning should > be possible. > > You certainly cannot trust the client side to do any checking. In any case, > JavaScript doesn't (shouldn't) have access to the file you are trying to > upload, so there's not much you can do there. You might achieve something > client-side with Flash, or a Java uploader applet, I suppose. > > Cheers > Pete > > -- > Peter Ford, Developer phone: 01580 89 fax: 01580 893399 > Justcroft International Ltd. > www.justcroft.com > Justcroft House, High Street, Staplehurst, Kent TN12 0AH United Kingdom > Registered in England and Wales: 2297906 > Registered office: Stag Gates House, 63/64 The Avenue, Southampton SO17 1XS > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
Re: [PHP] Trapping for PDF Type and file size in a UPLOAD form...
On 29/07/10 19:10, tedd wrote: At 9:50 AM -0700 7/29/10, Don Wieland wrote: I am trying to create an UPLOAD form and need to figure a way to only allow PDF files to be selected. The short answer is you can't -- not from php. You can create a standard form and upload it from there, but you don't have control over file type. So you can't stop people from uploading anything to your site via the form, but you can look at the document once it's there and inspect it. Using a HEX Editor, I see that most pdf file have the first four bytes as "%PDF" so you might check that before moving the file to somewhere important. But that doesn't stop spoofing. Other than that, I can't see any way to do it. Cheers, tedd Second what tedd says, with a bit more: on a Linux backend system I run uploaded files through the 'file' command with a decent magic file to detect the file type. I also run every upload through a virus scanner (clamscan, for example) before I accept it. If your PHP backend is windows then you might need to do some research to find a good file-type detection routine, although the virus scanning should be possible. You certainly cannot trust the client side to do any checking. In any case, JavaScript doesn't (shouldn't) have access to the file you are trying to upload, so there's not much you can do there. You might achieve something client-side with Flash, or a Java uploader applet, I suppose. Cheers Pete -- Peter Ford, Developer phone: 01580 89 fax: 01580 893399 Justcroft International Ltd. www.justcroft.com Justcroft House, High Street, Staplehurst, Kent TN12 0AH United Kingdom Registered in England and Wales: 2297906 Registered office: Stag Gates House, 63/64 The Avenue, Southampton SO17 1XS -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Trapping for PDF Type and file size in a UPLOAD form...
At 9:50 AM -0700 7/29/10, Don Wieland wrote: I am trying to create an UPLOAD form and need to figure a way to only allow PDF files to be selected. The short answer is you can't -- not from php. You can create a standard form and upload it from there, but you don't have control over file type. So you can't stop people from uploading anything to your site via the form, but you can look at the document once it's there and inspect it. Using a HEX Editor, I see that most pdf file have the first four bytes as "%PDF" so you might check that before moving the file to somewhere important. But that doesn't stop spoofing. Other than that, I can't see any way to do it. Cheers, tedd -- --- http://sperling.com http://ancientstones.com http://earthstones.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Trapping for PDF Type and file size in a UPLOAD form...
On Jul 29, 2010, at 12:50 PM, Don Wieland wrote: > I am trying to create an UPLOAD form and need to figure a way to only allow > PDF files to be selected. Something like: > > > > >accept="application/pdf" /> > Choose a file to upload: type="file" /> > > > > > > It is documented online that I can pass a parameter ACCEPT="applaction/pdf", > BUT it is not recognized in most browsers. > > It was suggested by someone that I could trap for this using a JAVASCRIPT. > Can someone assist with a snippet of javascript code to trap for this for me? > This is the end result I need: > > If the user selects a file that IS NOT a PDF file, display an javascript > alert "You can only upload PDF files. Please try again." > > If the user selects a PDF file greater than 1MB, display an javascript alert > "File uploads may not exceed 1M in file size. Please try again." > > I appreciate any help that can be offered. Thanks in advanced! > > Don Wieland > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > Don- Remember that anything submitted by the client can be spoofed or faked. Ensure that your PHP script accounts for Javascript being disabled. Past that, I'm sure you can get results from somewhere like Stackoverflow.com instead of a PHP mailing list. Thanks, -Josh -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Trapping for PDF Type and file size in a UPLOAD form...
On Thu, 2010-07-29 at 09:50 -0700, Don Wieland wrote: > I am trying to create an UPLOAD form and need to figure a way to only > allow PDF files to be selected. Something like: > > > > >accept="application/pdf" /> > Choose a file to upload: type="file" /> > > > > > > It is documented online that I can pass a parameter ACCEPT="applaction/ > pdf", BUT it is not recognized in most browsers. > > It was suggested by someone that I could trap for this using a > JAVASCRIPT. Can someone assist with a snippet of javascript code to > trap for this for me? This is the end result I need: > > If the user selects a file that IS NOT a PDF file, display an > javascript alert "You can only upload PDF files. Please try again." > > If the user selects a PDF file greater than 1MB, display an javascript > alert "File uploads may not exceed 1M in file size. Please try again." > > I appreciate any help that can be offered. Thanks in advanced! > > Don Wieland > Perhaps asking on a Javascript list might be better for this particular question, as this is a PHP list... ;) Thanks, Ash http://www.ashleysheridan.co.uk