...

View Full Version : Most secure way to check uploaded file size and type



spetsacdc
07-20-2008, 04:14 AM
Hi, when letting users upload files, what is the most secure way to make sure the file type is ok, and the size is not bigger than what you want?

Currently when checking file type I do something like:


$file_name = $_FILES['image']['name'];
$type = strrev(substr(strrev($file_name), 0,
strpos(strrev($file_name), '.')));

To check size I just use:


$size_used = $_FILES["myfile"]["size"]

Are these fairly secure? I read something that said you should not trust the mime type. Is this just:
$_FILES["myfile"]["type"] ??

Thanks

ShaneC
07-20-2008, 05:01 AM
The only other way I know of to get the data is only available after you upload the file - which really defeats the purpose.

I'm sure someone else here as an ingenious way of detecting it pre-upload, Javascript/AJAX for example, but I've personally never had an issue with the method you posted.

So my advice: Stay tuned to this thread in case someone has insight. In the meantime, though, I think it's safe to roll the dice while you wait.

spetsacdc
07-20-2008, 05:08 AM
The only other way I know of to get the data is only available after you upload the file - which really defeats the purpose.

I'm sure someone else here as an ingenious way of detecting it pre-upload, Javascript/AJAX for example, but I've personally never had an issue with the method you posted.

So my advice: Stay tuned to this thread in case someone has insight. In the meantime, though, I think it's safe to roll the dice while you wait.

Hey, thanks for the info. I did more searching and it seems like the only unsafe thing to use is $_FILES["myfile"]["type"] , I think $_FILES["myfile"]["size"] is safe. I also think it is safe to use $_FILES["myfile"]["name"] and check the string after the last "." for the extension...

Oh and I wish I could check size before uploading it, but I gave up on that a long time ago since I read javascript can't do it.

I really wanted to use a PERL script because I think those can check the size before hand, and I know they can do a progress bar. However, I don't know enough PERL to modify a script to meet my needs.

Thanks again



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum