![]() Topic awaiting preservation: file updload mime types (Page 1 of 1) |
|
---|---|
Paranoid (IV) Inmate From: 1393 |
![]() I've got a php upload script I've created and I want to restrict all file types except for pdf, gif and jpg. I've been reading up on mime types but it seems that it is totally browser dependant (like AOL doesn't send proper mime types ect.). How do I go about this properly? |
Nervous Wreck (II) Inmate From: Stockholm, Sweden |
![]() I'm using this following code. As far as I know it works well on both PC and Mac. IE and FF and all the rest. code: $FILE_MIMES = array('image/jpeg','image/jpg','image/gif','image/png'); $FILE_EXTS = array('.jpeg','.jpg','.png','.gif'); if (!in_array($file_type, $FILE_MIMES) && !in_array($file_ext, $FILE_EXTS) ) echo = "Sorry, $file_name($file_type) was not allowed to be uploaded.";
|
Paranoid (IV) Inmate From: New Jersey, USA |
![]() You can do an eregi on the file name. Something like: code: if (!eregi('.pdf', $filename) || !eregi('.gif', $filename) || !eregi('.jpe?g', $filename)) { //put code to refuse the upload here } else { //handle the upload here }
|
Paranoid (IV) Mad Scientist From: Omicron Persei 8 |
![]() |
Nervous Wreck (II) Inmate From: |
![]() MIME Filetype is a lot harder to spoof than extensions, so it's best imo to use both. |
Maniac (V) Mad Scientist with Finglongers From: Germany |
![]() You don't listen to the mime types the client sends. |
Nervous Wreck (II) Inmate From: |
![]() I said it was harder, TP, not that it wasn't possible. I agree it wouldn't be hard to spoof the mime-type (writing raw http headers is not rocket science), but it's of a completely different degree from changing the file extension. =) |
Maniac (V) Mad Scientist with Finglongers From: Germany |
![]() well... betting that an attacker ist stupid is a sure way to loose money. |
Maniac (V) Inmate From: Sthlm, Sweden |
![]() quote:
|