0

Is it possible to check the content of an uploaded file to make sure that it doesn't contain anything that could harm the server (files etc.).

I've tried merging to files into a single image file, making it contain some php code. I then tried to upload it with a simple upload PHP script and trying to check the content of it, but without the result I was looking for.

So if we receive the following file from the client:

$_FILES["profilePicture"]

How can I make sure that this is a valid image?

Any help will be greatly appreciated

Langkiller
  • 3,377
  • 13
  • 43
  • 72
  • Look over to the right under Related >>> – Funk Forty Niner Jan 04 '15 at 00:59
  • Try pathinfo http://php.net/manual/en/function.pathinfo.php – ka_lin Jan 04 '15 at 01:00
  • Plus, use a whitelist. – Funk Forty Niner Jan 04 '15 at 01:11
  • @KA_lin And what would that do? – deceze Jan 04 '15 at 01:16
  • @deceze I was contemplating the same duplicate earlier, having looked at your answer in that page. Just wasn't sure if OP would understand it fully. This, being found under Related, as originally stated to the OP. – Funk Forty Niner Jan 04 '15 at 01:18
  • Thanks for your input. Heres what I ended up using: a white list to check the file extension and headers (MIME) of the files and the getimagesize() function in PHP (returns false if not an image file). I'm also checking the content of the image files to check for code snippets etc. A have also made an adjustement to my htaccess file by specifying which MIME types that are legal, like so: ForceType application/octet-stream ForceType image/jpeg .. And of course I avoid including files uploaded by clients, which could result in executing client code. – Langkiller Jan 04 '15 at 12:01

0 Answers0