Re: FN-FORUM: file size /type best practice

date posted 29th January 2007 14:51

Probably being ignorant here, but without using a Java app/flash object
(not sure on flash) to manage the file upload I didn't think you had
access to the size of the file until the form had completed submission.

webmetric wrote:
>> parsing the filename for the correct extension is a good idea as a basic
>> check, but you really need to make sure that whats being uploaded really is
>> an image and not a script with a image file extension. Mime-type checks
>> are one way but they can be spoofed. I'd use something like
>> exif_imagetype() which is a bit better at making sure an image is indeed an
>> image.
>>
>> see here: http://devzone.zend.com/manual/view/page/function.exif-
>> imagetype.html
>>
>> doing it in JS probably is possible but when you're dealing with a function
>> where someone could potentially upload harmful files its probably best not
>> to let them see the code that does the checks!
>>
>>
>>
>
> Sorry, yeah I should have said, I've got the server side covered, it's just
> that I get students who try and upload 15 meg psd files when they should be
> uploading 600k jpegs.
>
> I just wanted a client side check first
>
> D
>
>
>