suttercain Posted November 5, 2007 Share Posted November 5, 2007 Hi guys, Quick question. I have built a simple file upload form which allows a user to upload a single JPEG image. I check to make sure the file size is smaller than 250k and that it is in fact a jpeg image. My question is, can someone upload an .exe file as a .jpg file and actually have it execute some how? Thanks. Quote Link to comment Share on other sites More sharing options...
atlanta Posted November 5, 2007 Share Posted November 5, 2007 If you actually have php check the filesize and type then no.. but if you only where the html form tries to validate the size and type then yes Quote Link to comment Share on other sites More sharing options...
cooldude832 Posted November 5, 2007 Share Posted November 5, 2007 they couldn't execute a jpeg as a .exe on your server. Sure you could hide a .exe in a jpeg, download the file and use its binaries to create that program, but it couldn't "execute" on your server. This was on that show num3ers, where jpegs where encoded with a program that let you decrypt the image to a secondary image, but you can't do it on your server as your server can't execute anything other than what pages they land on. Now if you are to recreate the upload, which I advise you do (even if you don't resize just recreate ), it should destroy the illegal binaries and atetmpt to write correct jpeg ones, resulting in a corupt image. Quote Link to comment Share on other sites More sharing options...
Wuhtzu Posted November 5, 2007 Share Posted November 5, 2007 You can't execute an executable file via a call like http://domain.com/executable_file.exe. But you should make sure they do not upload .exe files just by renaming them to .jpg. Use exif_imagetype() to validate the image type: <?php if(exif_imagetype($image) == 2) { echo "$image is a valud JPEG image"; } else { echo "$image is _not_ a valid JPEG image"; } ?> The exif_imagetype function actually reads some bytes from the file and use them to determine which format a picture is. You can't fool it by renaming a .exe-file to .jpg. http://dk2.php.net/manual/en/function.exif-imagetype.php It is a lot better than simply validating the extension of a file. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.