Discuss Uploade File Handling in the PHP Development forum on Dev Shed. Uploade File Handling PHP Development forum discussing coding practices, tips on PHP, and other PHP-related topics. PHP is an open source scripting language that has taken the web development industry by storm.
Time spent in forums: 5 Months 2 Weeks 2 Days 8 h 8 m 49 sec
Reputation Power: 9259
Any decent virus scanner will have already scanned the files as they were being uploaded, or at least when PHP tried to access them. Otherwise it's just a matter of using the right exec/system function to call the right command-line scanner with the right arguments.
Validate file types? Most people are content to check extension, but if you want to look inside the file then it's trivial to write one yourself. Really. It's simple.
if (strncmp($data, "\x25\x50\x44\x46\x2D\x31\x2E", 7) == 0) /* is a PDF */;
if (strncmp($data, "\xFF\xD8\xFF", 3) == 0) /* is a JPEG */;
// next line isn't supposed to wrap - blame devshed for that
if (strncmp($data, "\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00", 9) == 0) /* is a DOC */;
if (strncmp($data, "\x4D\x5A", 2) == 0) /* is a DLL */;
Time spent in forums: 1 Week 6 Days 23 h 38 m 36 sec
Reputation Power: 619
I didn't want to just check the file extension or mime type so I used your method. In my case I only want gif's,jpg's and png's so I added the extra couple of binary checks using the database you posted.
All three image types made it through the filter, next I tried putting through a text file called text.txt which I had renamed it to text.gif. It did not get through.
I would have spent a long time trying to figure this out! I owe you a favour.
P.S I like the idea of passing the buck for checking viruses to anti virus software on the server.
Time spent in forums: 2 Months 2 Days 20 h 11 m 10 sec
Reputation Power: 7170
I didn't want to just check the file extension
You need to check the file extension as well. There is nothing stopping me from putting a gif header at the start of a PHP file, uploading it to your server and then being able to execute arbitrary PHP code on your website. PHP won't care if there is a random gif header at the start of the file, it will still execute PHP code inside of the file if the file has a .php extension.