[PHP] upload files and file types

[Dan Rossi]

hi there , i was wondering on security of file uploads , i am currently
using the pear uploader class , i can check for allowed file extensions ,
but it doesnt seem to check for file type , i can currently rename say an
image to zip and it uploads , is there anyway a hacker could rename an
executable to a zip and able to upload it and execute it ?


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] upload files and file types

[Larry E. Ullman]

hi there , i was wondering on security of file uploads , i am currently
using the pear uploader class , i can check for allowed file 
extensions ,
but it doesnt seem to check for file type , i can currently rename say 
an
image to zip and it uploads , is there anyway a hacker could rename an
executable to a zip and able to upload it and execute it ?
I can't address your specific question but here are a couple of 
recommendations:
-Rename the uploaded file so that the user won't know what it's called 
on the server.
-Store the file outside of the Web directory so it's not accessible via 
HTTP.

Hope that helps,
Larry
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php