Brian W Posted September 11, 2008 Share Posted September 11, 2008 Hello World, I am trying to fight double barreled extensions, namely ones that are actually php files. I don't know why this is a big deal since if some on goes to the file they uploaded, for example file.php.jpg, they don't get to execute it as a .php file. But, the experts say double barreled bad so I listen. lol I'm using if ($_FILES['uploadedfile']['type'] == "application/octet-stream") { echo "No PHP files please"; } else { to combat the normal use of PHP files. From there, I haven't found a way to prevent double barreled extensions on the internet which is odd. I decided to try completing this task myself but I'm a noob and of course I encountered an issue. $Filename = str_replace(".php", "", $_FILES['uploadedfile']['name']); //Then I use $Filename everywhere else for the naming and moving Seemed clever to me at first, then I realized it is case sensitive, file.PHP.jpg will get by. I could do it 9 times (there are 9 possibilities for capitalization combination), which would be best done in an array (which I'm not sure how to do) or is there a way to make ".php" non case sensitive? Quote Link to comment Share on other sites More sharing options...
corbin Posted September 11, 2008 Share Posted September 11, 2008 stri_replace I've never heard of double barreled extensions.... Can't think of a specific case where they would be harmful. Oh, by the way, never trust the mime-type. That's an accident waiting to happen. Quote Link to comment Share on other sites More sharing options...
Brian W Posted September 11, 2008 Author Share Posted September 11, 2008 Again, I don't understand why... if I try to open file.jpg, which really was file.php before changing it's name, I don't get to execute it, actually at least in my browser on my server it just displays the url. IDk Please explain what kind of headache i'm getting myself into. I found while google searching str_ireplace() and that is supposed to be case insensitive but it doesn't work at all, I get a Fatal Error. Quote Link to comment Share on other sites More sharing options...
Brian W Posted September 11, 2008 Author Share Posted September 11, 2008 Is str_ireplace() only in newer versions of php? My host is 1and1 and I'm unsure of how to tell what version they have (if it even makes a difference in this case) Quote Link to comment Share on other sites More sharing options...
Brian W Posted September 11, 2008 Author Share Posted September 11, 2008 I fixed it myself... thanks any ways. Resolution: use eregi_replace() instead of str_ireplace() Good to know Still, the mime thing interests me. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.