Zend Framework - Image upload question

[OOP]

Hi there,

I am new zend framework user and I am wondering how to verify that a given file is a valid image or not. I guess checking only the file extension & MIME type is not enough. What if someone rename for example a file from evil.php to something like flower.gif. Will this pass the validations? I just want to prevent such thing.

 

Any help is highly appreciated.

 

Regrards

[albertrosa]

hey hey,

 

Not sure if you can validate if the file is an actual image unless you create custom validators for zend_form.  if you are going complete Zend.

 

if not the good news is that Zend_Validators can be used stand alone so yay!! now here are a few things you can do:

 

for each so called mallicious data string you got you use:

$handle = fopen($file, 'r') and $content = fread($handle); then search the $content as a string for the codes that are of the language.

 

javascript, lua, .net, php look for the word function, or even the ' = '  with the spaces.

 

it's highly unlikely that an image read would have ' = ' but the proof is in the code.

 

Beyond that there aren't truly and other validation for images rather than the ones already set for Zend_Form_Element_Image types.

 

Hi there,

I am new zend framework user and I am wondering how to verify that a given file is a valid image or not. I guess checking only the file extension & MIME type is not enough. What if someone rename for example a file from evil.php to something like flower.gif. Will this pass the validations? I just want to prevent such thing.

 

Any help is highly appreciated.

 

Regrards

[boha]

I would check file with getimagesize() function.

[OOP]

Hi there...

 

thanks albertrosa for your idea

 

boha, using getimagesize() is not enough becuase i can embed some valid PHP code inside a valid gif image and this will pass the function check.

 

any other idea?

 

regards