PHP experts!
- Started
- Last post
- 6 Responses
- kinetic
im trying to upload PPS files with php. however, the file type that they display is 'application octec/stream' or whatever....which is the same type that php files will show if you try and upload them.
i can check in the file name to see if it has a .pps extension, but is that secure?
then someone could technicaly upload a php file with a pps extension. if they could rename it somehow, they could execute it.
am i being paranoid here?
is there a solid method for uploading files without specific type (ie - files that will display type of application octec/stream) ?
thanks for your help!
:)
- enobrev0
application octec/stream from my experience is kind of the generic type sent when it's not sure. I think fla files come up the same. I'd say check for both the extension and the type and make sure to only allow certain members to upload files until you figure out another way of catching the file header.
- kinetic0
damn, i was afraid of that
thanks for the advice mate
- davetufts0
you should definately check the extension - since (normally) PHP files will only be executed if they have a '.php' extension, it's best to check that way (even if there's php code in a '.txt' file, the server won't execute it)
so after your file's been uploaded:
if (stristr($your_file, ".php")) {
// delete the uploaded file
unlink("/path/to/$your_file");
die("error...");
}
- kinetic0
im checking the extension in the name right now and if its not .pps i cancel out.
but, maybe im just being paranoid..couldn't someone upload a php file with a .pps extension and then rename it somehow (i cant see how which is why im wondering if im just being paranoid ;) )
- JazX0
you have to have the right extension man, uhhhhh, yep that generally works.
- okie0
it depends what you want to do with the file once it has been uploaded, but, if you are worried about people executing it, you could upload it to a location outside your document root.
again, it all depends on what you are doing with it afterwards.