Thanks Rasmus, I thought there had to be function out there that could examine the actual contents.
Now the question remains, would an ereg/eregi check for html/code/commands work on a "jpg/jpeg" type file? From a brief examination of one, I note that it's not text, but code. I tried writing some text commands into a jpeg file to see what would happen, and wasn't too surprised that the file didn't load -- but then again, I don't know what I'm doing:> I suppose, following what I saw in a movie "Along Came a Spider" -- manipulating image files with hidden text files, etc. -- sort of put me on guard. I have no idea whether this is even possible. . . sounds probable though. Would be great to find out before the site is compromised. Tia, Andre On Tuesday 14 May 2002 10:32 pm, you wrote: > Have a look at the getimagesize() function. This function looks at the > actual file data, not the mime type nor the file's extension but the data > itself and tells you what sort of image file it is. > > And no, it wouldn't really be after the fact because because stores the > file with a temporary random filename in /tmp ensuring not to overwrite > anything that is already there. It is then your job to perform the check > and copy the file to some appropriate directory on your server. If you > don't do anything with the file, PHP will automatically delete it at the > end of the request. > > -Rasmus > > On Tue, 14 May 2002, Andre Dubuc wrote: > > My question will probably expose my woeful lack understanding of security > > breaches, but perhaps someone can enlighten me. > > > > On my site, registered members will be allowed to upload jpg/jpeg > > pictures. I'm concerned about possible security problems. First, is there > > a way to ensure that a picture (and not some other malicious stuff) has > > been uploaded? > > > > Aside from checking the mime type info associated with the file, is there > > any way of verifying what's in the file that has been uploaded? (I'm > > using Linux LM8.2) Would it be possible to fake info to fool this check? > > Would verification checks for html/scripts/commands be of any use? > > > > Secondly, since the file in question is already uploaded and saved to > > disk in /tmp or wherever, wouldn't any verification scheme be sort of, > > 'after-the-fact'? > > > > I would appreciate any input, suggestions, or ideas on what to do here. > > Am I being overly-paranoid about this, or do I have legitimate security > > concern. > > > > Using: Apache 1.3.23 + PHP 4.1.2 + PostgreSQL 7.2 > > > > Tia, > > Andre > > > > > > -- > > Please pray the Holy Rosary to end the holocaust of abortion. > > Remember in your prayers the Holy Souls in Purgatory. > > > > May God bless you abundantly in His love! > > For a free Cenacle Scriptural Rosary Booklet: > > http://www.webhart.net/csrb/ > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php -- Please pray the Holy Rosary to end the holocaust of abortion. Remember in your prayers the Holy Souls in Purgatory. May God bless you abundantly in His love! For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
