Drongo_III Posted April 22, 2012 Share Posted April 22, 2012 Hi Guys Quick question. I am just starting an application that enables users to upload files - specifically image files. As one of the validation/security steps I want to run a check on file type and file size. As far as i can see you do this one of two ways: 1) using the $_FILES array - i.e. $_FILES[name][type] and $_FILES[name] or 2) using the getimagesize() function. What i want to know is whether one of these methods is preferable for security or do they both suffer the same inherent flaws - because lots of post online seem to suggest filetype can be faked. advice would be appreciated Quote Link to comment Share on other sites More sharing options...
MMDE Posted April 22, 2012 Share Posted April 22, 2012 Googling some will find you some nice answers! For example: http://stackoverflow.com/questions/4166762/php-image-upload-security-check-list Quote Link to comment Share on other sites More sharing options...
Drongo_III Posted April 22, 2012 Author Share Posted April 22, 2012 Thank MMDE That's a very useful post. What i am trying to discover is which method is most robust for discovering file type though? Or are they just the same? Googling some will find you some nice answers! For example: http://stackoverflow.com/questions/4166762/php-image-upload-security-check-list Quote Link to comment Share on other sites More sharing options...
MMDE Posted April 22, 2012 Share Posted April 22, 2012 Thank MMDE That's a very useful post. What i am trying to discover is which method is most robust for discovering file type though? Or are they just the same? Googling some will find you some nice answers! For example: http://stackoverflow.com/questions/4166762/php-image-upload-security-check-list You should use several different types of checks, not just one, and in a somewhat logical order. Quote Link to comment Share on other sites More sharing options...
Drongo_III Posted April 22, 2012 Author Share Posted April 22, 2012 Sorry i might not be explaining myself very well. I intend to do lots of other checks. What I am trying to discover is whether $_FILES[name][type] or getimagesize() is better for discovering the true file type? OR are they exactly the same in what they'll return? Thank MMDE That's a very useful post. What i am trying to discover is which method is most robust for discovering file type though? Or are they just the same? Googling some will find you some nice answers! For example: http://stackoverflow.com/questions/4166762/php-image-upload-security-check-list You should use several different types of checks, not just one, and in a somewhat logical order. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.