andrewgerm

Thank you again! Going to speak to the host, and see what I can organise. I've had several hosts tell me recently that they do not allow access to folders above webroot by scripts, at all. Will have to see what they can sort for this site then. Safest option is always the way to go. Had thought it'd be okay to do all the checks, but you never know what the next attack vector would be. Speaking of, any ways in even if uploading to another directory, and moving? Would also limit files to JPEG type, and probably resize them with a script too while I'm at it. Will post any additional info I manage here, but hopefully all goes well. Thank you again.

Thank you for the reply I had intended to run actual checks (and not rely on user or browser supplied info) Had not seen many mention of mime type, but many mentions suggesting getimagesize, etc. Without opening this thread, and my questions up to giving out info that would add attackers, are there any other concerns to be aware of?

Good day all Busy working on some code to allow users to upload images. Now, I know not to trust anything sent from a user (and to specifically check image type, etc.) And it's never a good idea to allow anyone, or anything to upload something to a directory below your web root. But, how bad would it be to check for the correct file size, and type, and then use PHP to FTP that file to a directory that happens to be below your web root? This would be on a shared hosting platform, where temp_upload is not set, and is running Apache and PHP 5.2 Just checking some additional options, and haven't seen that much regarding how secure the FTP method would be. Thanks in advance

Hi all I've been working on a problem with XMLreader for some time now, and have been stuck on an issues I think is related to reading several attributes from one element. Not sure if this is the case though, but the manual for xmlreader is sorely lacking info. My XML looks similar to <xml> <company> - about a hundred of these </company> <appointment start='0100' end='0200' id='123'> <subject></subject> <location></location> <comment></comment> </appointment> - about half a million of these My PHP is: while($oXML->read()) { if($oXML->nodeType == XMLReader::ELEMENT) { if($oVidXML->localName == 'appointment') { $Varstart = $oXML->getAttribute('start'); $Varstop = $oXML->getAttribute('stop'); $Varid = $oXML->getAttribute('id'); echo $i; } else if { $oVidXML->read(); $Varsubject = $oVidXML->value; echo $i; } $i++; } else if($oML->nodeType == XMLReader::END_ELEMENT && $oML->localName == 'subject') { // submit SQL } Any help would be appreciated. The input file can easily contain half to a million records, and Gzipped is about 10MB (easily uncompressing to about 70 odd. What is happening, is that I am successfully getting the 'start', 'stop' and 'id' data. But it seems that the while loop is running a further two iterations, and then is grabbing the subject, as the value of $i differs by 2. There for, I am getting empty variables (first first round gets the first 3 pieces of info, and then iteration, and then the subject info. Any and all help would be appreciated. Thank you in advance.