Discuss Uploade File Handling in the PHP Development forum on Dev Shed. Uploade File Handling PHP Development forum discussing coding practices, tips on PHP, and other PHP-related topics. PHP is an open source scripting language that has taken the web development industry by storm.
Posts: 12,701
Time spent in forums: 5 Months 1 Week 4 Days 5 h 23 m 48 sec
Reputation Power: 8969
Any decent virus scanner will have already scanned the files as they were being uploaded, or at least when PHP tried to access them. Otherwise it's just a matter of using the right exec/system function to call the right command-line scanner with the right arguments.
Validate file types? Most people are content to check extension, but if you want to look inside the file then it's trivial to write one yourself. Really. It's simple.
if (strncmp($data, "\x25\x50\x44\x46\x2D\x31\x2E", 7) == 0) /* is a PDF */;
if (strncmp($data, "\xFF\xD8\xFF", 3) == 0) /* is a JPEG */;
// next line isn't supposed to wrap - blame devshed for that
if (strncmp($data, "\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1\x00", 9) == 0) /* is a DOC */;
if (strncmp($data, "\x4D\x5A", 2) == 0) /* is a DLL */;
// ...
Posts: 729
Time spent in forums: 1 Week 6 Days 23 h 17 m 15 sec
Reputation Power: 619
Thanks champion,
I didn't want to just check the file extension or mime type so I used your method. In my case I only want gif's,jpg's and png's so I added the extra couple of binary checks using the database you posted.
All three image types made it through the filter, next I tried putting through a text file called text.txt which I had renamed it to text.gif. It did not get through.
I would have spent a long time trying to figure this out! I owe you a favour.
Thanks again
P.S I like the idea of passing the buck for checking viruses to anti virus software on the server.
Posts: 7,931
Time spent in forums: 2 Months 7 h 48 m 54 sec
Reputation Power: 7053
Quote:
I didn't want to just check the file extension
You need to check the file extension as well. There is nothing stopping me from putting a gif header at the start of a PHP file, uploading it to your server and then being able to execute arbitrary PHP code on your website. PHP won't care if there is a random gif header at the start of the file, it will still execute PHP code inside of the file if the file has a .php extension.
In my case I am using Flash to upload files and it always sends the mime type application/octet-stream no matter what type of file is being used unfortunately.
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
