Jump to content

File uploading; "image/jpg", sure. But what about movies, etc?

Michan

By Michan
in PHP Coding Help

 Share

Recommended Posts

Michan Member

Michan

Posted
Posted

Hi everyone,

 

I've created a file upload for images, and would like to duplicate one for other files that do not include images, with limitations (i.e., I don't want people uploading .exes, .ppts, etc).

 

Is there a list of all of the file types and extensions?

 

Y'know, like "image/jpg", "image/png", etc?

 

The reason I'm asking is because I'm not sure what I should type before "/ext" ("movie/wmv"?), Word document ("word/doc"?), or other files.

 

A list would be appreciated. Thanks in advance!

hvle Member

hvle

Posted
Posted

This is kind of random, but I suggest not trusting mime types supplied by the client as they're fakable.... Best bet is to just check the file extension.

 

file extension not fakable?

 

mime type help server encode the file and client to handle the file appropriately, not extension.

 

corbin Regular Member

corbin

Posted
Posted

The mime type is meaningless, and is often mapped to file extensions....

 

How do you fake a filename.ext?  Also, Windows handles files based on file extensions, so chances are, despite the mime type, there will be certain situations where Windows handles a .exe file with jpeg content as a .exe.  Also, if someone were to upload a .php file with a image/jpeg mimetype for example and then they accessed it some how or other, your server would run it.  (That would assume the PHP file was in the web root, or the file was being called via include() or require()).

 

I would just check the file extension of uploads, since my rule of thumb is to not trust anything sent by the client.  Of course the file extension could not match the contents, but that's often a less problematic situation than contents not matching the mime type....

hvle Member

hvle

Posted
Posted

The mime type is meaningless, and is often mapped to file extensions....

 

How do you fake a filename.ext?  Also, Windows handles files based on file extensions, so chances are, despite the mime type, there will be certain situations where Windows handles a .exe file with jpeg content as a .exe.  Also, if someone were to upload a .php file with a image/jpeg mimetype for example and then they accessed it some how or other, your server would run it.  (That would assume the PHP file was in the web root, or the file was being called via include() or require()).

 

I would just check the file extension of uploads, since my rule of thumb is to not trust anything sent by the client.  Of course the file extension could not match the contents, but that's often a less problematic situation than contents not matching the mime type....

 

How do I fake filename ext?  easy:  ren *.pdf *.txt

 

Windows is stupid, period.

Try to upload an .exe using mime type text/html

 

upload .PHP file?  There is no rule to tell you have to save the upload file the same name as it was in local machine.  And if you do that, you're too dumb to be programmer.

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.