RE: FN-FORUM: file size /type best practice

date posted 29th January 2007 12:23

parsing the filename for the correct extension is a good idea as a basic check, but you really need to make sure that whats being uploaded really is an image and not a script with a image file extension. Mime-type checks are one way but they can be spoofed. I'd use something like exif_imagetype() which is a bit better at making sure an image is indeed an image.

see here: http://devzone.zend.com/manual/view/page/function.exif-imagetype.html

doing it in JS probably is possible but when you're dealing with a function where someone could potentially upload harmful files its probably best not to let them see the code that does the checks!




>
>As part of an image upload script, I want to limit the file types and max
>sizes (file size not dimensions)
>
>Obviously I'll be using MAX_FILE_SIZE in my form (PHP) , but I wondered if
>anyone had any tips on checking the size and type prior to upload
>
>I don't think it can be done with JavaScript but I'm happy to be educated
>other wise (other than checking the name as a string to make sure it ends in
>.jpg or .jpeg or .png etc etc)
>
>Any ideas are welcome
>
>
>
>
>--
>Freelancers, contractors earn more with Prosperity4
>Call 0870 870 4414 or visit www.prosperity4.com
>and benefit from Inland Revenue approved expenses today.
>
>To advertise here: http://www.freelancers.net/advertising.html
>
>