[wplug] Clean up a PHP script

Jerod Lycett arenlor at ptd.net
Thu Jan 31 22:32:42 EST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.php.net/features.file-upload
" $_FILES['userfile']['type']

    The mime type of the file, if the browser provided this information.
An example would be "image/gif". This mime type is however not checked
on the PHP side and therefore don't take its value for granted."
"Beware the mime-types! Given the GIF security issue that has been doing
the rounds recently you may be inclined to validate an update based on
its reported mime-type from the $_FILES array. However be careful with
this - it is set by the *browser*, not by PHP or the web server, and
browsers are not consistent (what's new?!)

For example IE6/7 will upload a progressive JPEG as image/pjpeg, while
Firefox and Opera will upload it as image/jpeg. More importantly IE will
try and determine the mime type of the file by actually inspecting its
contents. For example if you rename a perfectly valid PNG file to end
with .zip instead, IE will still send a mime type of image/x-png,
where-as Firefox and Opera will send application/x-zip-compressed and
application/zip respectively, even though the file is a valid PNG."
The first quote tells you how to use the built-in checker, the second
warns about how this could be faked/falsified (yours is weak in the same
way, but at least IE would work correctly with the way I suggest while
it wouldn't with yours)
http://www.duke.edu/websrv/file-extensions.html has the list of mime
types to use.

Kevin Squire wrote:
> I have created a web form with PHP.  The webform is in online
> application form, that then emails our HR department.  They want me to
> include an option on the form to upload a resume.  I would like to stem
> off some trouble by making sure that the file they upload is one of our
> "acceptable" formats.  (Arguments about acceptable can be tabled -- I
> had to fight them to accept .txt file formats)
> 
> I have my check working, but I have two questions about it:
> 
> 1) It seems to be a bit of a clug - can I clean it up some?
> 2) What false-positives could occur?
> 
> Here is a snip:
> 
>       error_reporting(0);
>       // initialize a array to hold any errors we encounter
>       $errors = array();
>       // check to see if a first name was entered
>       if (!$_POST['fName'])
>          $errors[] = "First Name is required";
>       // check to see if a last name was entered
>       if (!$_POST['lName'])
>          $errors[] = "Last Name is required";
>  
> CUT SOME STUFF OUT HERE......
> 
>         // check file types against known extensions
>       $whitelist = array(".rtf", ".doc", ".txt", ".pdf");
>       // initialize the extension errors counter
>       $ext_err = 0;
>       // check the file extension
>       foreach ($whitelist as $item) {
>         if (!preg_match("/$item\$/i", $_FILES['userfile']['name']))
>            $ext_err = $ext_err + 1 ;
>       }
>       if ($ext_err == 4)
>              $errors[] = "We only allow certain file formats " .$ext_err;
> 
> From the "foreeach" loop down is that part that I would think I could
> clean up some.. but I just can't seem to figure it out myself.
> 
> Thanks,
> Kevin
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug

- --
Jerod Lycett
Arenlor Productions
arenlor at arenlor.com
http://www.arenlor.com
(717)645-6249
717 24th St
Apt 1
Beaver Falls, PA 15010
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHopLaPbznORSjJfgRAjRZAKCTL+2Jey8seK21m1+skk4YcIllsgCeMqKg
MXd71uJJoZbfFg/3i/5WbyE=
=WTmR
-----END PGP SIGNATURE-----


More information about the wplug mailing list