Jeigh Posted July 14, 2008 Share Posted July 14, 2008 One of the scripts I'm currently working on I want to let users upload as many file types as possible without causing a security threat. For this reason I'm going to take the approach of making a whitelist rather than a blacklist and list as many as I can using the following code: $ext = strrchr($_FILES['uploaded_image']['name'], "."); if ($ext != ".gif" AND $ext != ".jpg" AND $ext != ".jpeg" AND $ext != ".bmp" AND $ext != ".GIF" AND $ext != ".JPG" AND $ext != ".JPEG" AND $ext != ".png" AND $ext != ".ppt" AND $ext != ".xls" AND $ext != ".txt" AND $ext != "etc. etc.") { $error = "your file was an unacceptable type.<br />"; Obviously I'm not going to allow any .php, .js, .html, .exe or other such files but my question is, is there any commonly used files that could pose a security threat? For example allowing .xls files, most users would use that fine however by adding a certain code in the file when it's accessed it would cause some kind of problem (I know that it dosn't, not that I know of anyway, just trying to give an example of what I mean). Quote Link to comment https://forums.phpfreaks.com/topic/114670-dangerous-files/ Share on other sites More sharing options...
Lamez Posted July 14, 2008 Share Posted July 14, 2008 yes xls files can pose a threat, because you can program VB express, but these files need to be executed to be harmful. Are you trying to protect you or your users? Because if you are trying to protect your server, it will be ok from files like xls, or something like that. Quote Link to comment https://forums.phpfreaks.com/topic/114670-dangerous-files/#findComment-589682 Share on other sites More sharing options...
Jeigh Posted July 14, 2008 Author Share Posted July 14, 2008 Mainly I'm trying to protect myself, for the most part the only person who will have access to the file is the person who uploaded it so I assume it will be safe to allow .xls files then? But yeah I just want people to post any other files like that, that may not be safe to allow apart from the obvious such as .php, .asp, .exe etc. Quote Link to comment https://forums.phpfreaks.com/topic/114670-dangerous-files/#findComment-589688 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.