Brian W Posted September 11, 2008 Share Posted September 11, 2008 Hello World, I am trying to fight double barreled extensions, namely ones that are actually php files. I don't know why this is a big deal since if some on goes to the file they uploaded, for example file.php.jpg, they don't get to execute it as a .php file. But, the experts say double barreled bad so I listen. lol I'm using if ($_FILES['uploadedfile']['type'] == "application/octet-stream") { echo "No PHP files please"; } else { to combat the normal use of PHP files. From there, I haven't found a way to prevent double barreled extensions on the internet which is odd. I decided to try completing this task myself but I'm a noob and of course I encountered an issue. $Filename = str_replace(".php", "", $_FILES['uploadedfile']['name']); //Then I use $Filename everywhere else for the naming and moving Seemed clever to me at first, then I realized it is case sensitive, file.PHP.jpg will get by. I could do it 9 times (there are 9 possibilities for capitalization combination), which would be best done in an array (which I'm not sure how to do) or is there a way to make ".php" non case sensitive? Link to comment https://forums.phpfreaks.com/topic/123834-solved-fight-double-barreled-extensions/ Share on other sites More sharing options...
corbin Posted September 11, 2008 Share Posted September 11, 2008 stri_replace I've never heard of double barreled extensions.... Can't think of a specific case where they would be harmful. Oh, by the way, never trust the mime-type. That's an accident waiting to happen. Link to comment https://forums.phpfreaks.com/topic/123834-solved-fight-double-barreled-extensions/#findComment-639370 Share on other sites More sharing options...
Brian W Posted September 11, 2008 Author Share Posted September 11, 2008 Again, I don't understand why... if I try to open file.jpg, which really was file.php before changing it's name, I don't get to execute it, actually at least in my browser on my server it just displays the url. IDk Please explain what kind of headache i'm getting myself into. I found while google searching str_ireplace() and that is supposed to be case insensitive but it doesn't work at all, I get a Fatal Error. Link to comment https://forums.phpfreaks.com/topic/123834-solved-fight-double-barreled-extensions/#findComment-639385 Share on other sites More sharing options...
Brian W Posted September 11, 2008 Author Share Posted September 11, 2008 Is str_ireplace() only in newer versions of php? My host is 1and1 and I'm unsure of how to tell what version they have (if it even makes a difference in this case) Link to comment https://forums.phpfreaks.com/topic/123834-solved-fight-double-barreled-extensions/#findComment-639404 Share on other sites More sharing options...
Brian W Posted September 11, 2008 Author Share Posted September 11, 2008 I fixed it myself... thanks any ways. Resolution: use eregi_replace() instead of str_ireplace() Good to know Still, the mime thing interests me. Link to comment https://forums.phpfreaks.com/topic/123834-solved-fight-double-barreled-extensions/#findComment-639416 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.