[wplug] Clean up a PHP script
Jerod Lycett
arenlor at ptd.net
Thu Jan 31 22:32:42 EST 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://www.php.net/features.file-upload
" $_FILES['userfile']['type']
The mime type of the file, if the browser provided this information.
An example would be "image/gif". This mime type is however not checked
on the PHP side and therefore don't take its value for granted."
"Beware the mime-types! Given the GIF security issue that has been doing
the rounds recently you may be inclined to validate an update based on
its reported mime-type from the $_FILES array. However be careful with
this - it is set by the *browser*, not by PHP or the web server, and
browsers are not consistent (what's new?!)
For example IE6/7 will upload a progressive JPEG as image/pjpeg, while
Firefox and Opera will upload it as image/jpeg. More importantly IE will
try and determine the mime type of the file by actually inspecting its
contents. For example if you rename a perfectly valid PNG file to end
with .zip instead, IE will still send a mime type of image/x-png,
where-as Firefox and Opera will send application/x-zip-compressed and
application/zip respectively, even though the file is a valid PNG."
The first quote tells you how to use the built-in checker, the second
warns about how this could be faked/falsified (yours is weak in the same
way, but at least IE would work correctly with the way I suggest while
it wouldn't with yours)
http://www.duke.edu/websrv/file-extensions.html has the list of mime
types to use.
Kevin Squire wrote:
> I have created a web form with PHP. The webform is in online
> application form, that then emails our HR department. They want me to
> include an option on the form to upload a resume. I would like to stem
> off some trouble by making sure that the file they upload is one of our
> "acceptable" formats. (Arguments about acceptable can be tabled -- I
> had to fight them to accept .txt file formats)
>
> I have my check working, but I have two questions about it:
>
> 1) It seems to be a bit of a clug - can I clean it up some?
> 2) What false-positives could occur?
>
> Here is a snip:
>
> error_reporting(0);
> // initialize a array to hold any errors we encounter
> $errors = array();
> // check to see if a first name was entered
> if (!$_POST['fName'])
> $errors[] = "First Name is required";
> // check to see if a last name was entered
> if (!$_POST['lName'])
> $errors[] = "Last Name is required";
>
> CUT SOME STUFF OUT HERE......
>
> // check file types against known extensions
> $whitelist = array(".rtf", ".doc", ".txt", ".pdf");
> // initialize the extension errors counter
> $ext_err = 0;
> // check the file extension
> foreach ($whitelist as $item) {
> if (!preg_match("/$item\$/i", $_FILES['userfile']['name']))
> $ext_err = $ext_err + 1 ;
> }
> if ($ext_err == 4)
> $errors[] = "We only allow certain file formats " .$ext_err;
>
> From the "foreeach" loop down is that part that I would think I could
> clean up some.. but I just can't seem to figure it out myself.
>
> Thanks,
> Kevin
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> wplug mailing list
> wplug at wplug.org
> http://www.wplug.org/mailman/listinfo/wplug
- --
Jerod Lycett
Arenlor Productions
arenlor at arenlor.com
http://www.arenlor.com
(717)645-6249
717 24th St
Apt 1
Beaver Falls, PA 15010
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHopLaPbznORSjJfgRAjRZAKCTL+2Jey8seK21m1+skk4YcIllsgCeMqKg
MXd71uJJoZbfFg/3i/5WbyE=
=WTmR
-----END PGP SIGNATURE-----
More information about the wplug
mailing list