Dangerous Files

[Jeigh]

One of the scripts I'm currently working on I want to let users upload as many file types as possible without causing a security threat. For this reason I'm going to take the approach of making a whitelist rather than a blacklist and list as many as I can using the following code:

 

$ext = strrchr($_FILES['uploaded_image']['name'], "."); 
        if ($ext != ".gif" AND $ext != ".jpg" AND $ext != ".jpeg" AND $ext != ".bmp" AND $ext != ".GIF" AND $ext != ".JPG" AND $ext != ".JPEG" AND $ext != ".png" AND $ext != ".ppt" AND $ext != ".xls" AND $ext != ".txt" AND $ext != "etc. etc.") { 
            $error = "your file was an unacceptable type.<br />"; 

 

Obviously I'm not going to allow any .php, .js, .html, .exe or other such files but my question is, is there any commonly used files that could pose a security threat? For example allowing .xls files, most users would use that fine however by adding a certain code in the file when it's accessed it would cause some kind of problem (I know that it dosn't, not that I know of anyway, just trying to give an example of what I mean).

[Lamez]

yes xls files can pose a threat, because you can program VB express, but these files need to be executed to be harmful. Are you trying to protect you or your users? Because if you are trying to protect your server, it will be ok from files like xls, or something like that.

[Jeigh]

Mainly I'm trying to protect myself, for the most part the only person who will have access to the file is the person who uploaded it so I assume it will be safe to allow .xls files then?

 

But yeah I just want people to post any other files like that, that may not be safe to allow apart from the obvious such as .php, .asp, .exe etc.