Thanks Miguel, Actually, I figured out how to do it: a combination of checking: if ( $_REQUEST['pix']['type'] == "image/jpeg")} blah, blah, blah
and then using 'fread' on the actual file itself, applying my 'eregi' verification code. It works! The problem before was that I was attempting to read the array, rather than the actuial file. Thanks for the link. Btw, I still confused about how to organize my /var/www/html directory so that I can still access it for code, but others will not be able to say access /var/www/html/tmp_for_checking_files_like_jpegs. I've made a temporary change (for protyping) to php.ini using /var/www/html as the upload_temp_dir, but I don't know how or where it should go in production. Any suggestions? Tia, Andre On Wednesday 15 May 2002 02:36 pm, you wrote: > On Tue, 14 May 2002, Andre Dubuc wrote: > > My question will probably expose my woeful lack understanding of security > > breaches, but perhaps someone can enlighten me. > > > > On my site, registered members will be allowed to upload jpg/jpeg > > pictures. I'm concerned about possible security problems. First, is there > > a way to ensure that a picture (and not some other malicious stuff) has > > been uploaded? > > > > Aside from checking the mime type info associated with the file, is there > > any way of verifying what's in the file that has been uploaded? (I'm > > using Linux LM8.2) Would it be possible to fake info to fool this check? > > Would verification checks for html/scripts/commands be of any use? > > You can pass the path to the unix command 'file' which looks at the file's > prologue to attempt to figure out what it is. This is usually a pretty > good way to weed out trouble. > > http://www.doc.ic.ac.uk/lab/labman/lookup-man.cgi?file > > miguel -- Please pray the Holy Rosary to end the holocaust of abortion. Remember in your prayers the Holy Souls in Purgatory. May God bless you abundantly in His love! For a free Cenacle Scriptural Rosary Booklet: http://www.webhart.net/csrb/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php