From: =?UTF-8?Q?Hans_=C3=85hlin?= on 30 Jul 2010 21:35 ********************************************** Hans à hlin Tel: +46761488019 icq: 275232967 http://www.kronan-net.com/ irc://irc.freenode.net:6667 - TheCoin ********************************************** 2010/7/30 Pete Ford <pete(a)justcroft.com> > On 29/07/10 19:10, tedd wrote: > >> At 9:50 AM -0700 7/29/10, Don Wieland wrote: >> >>> I am trying to create an UPLOAD form and need to figure a way to only >>> allow PDF files to be selected. >>> >> >> The short answer is you can't -- not from php. You can create a standard >> form and upload it from there, but you don't have control over file type.. >> >> So you can't stop people from uploading anything to your site via the >> form, but you can look at the document once it's there and inspect it. >> Using a HEX Editor, I see that most pdf file have the first four bytes >> as "%PDF" so you might check that before moving the file to somewhere >> important. But that doesn't stop spoofing. >> >> The pdf files also ends with "startxref [some numbers] %%EOF" > Other than that, I can't see any way to do it. >> >> Cheers, >> >> tedd >> > > Second what tedd says, with a bit more: on a Linux backend system I run > uploaded files through the 'file' command with a decent magic file to detect > the file type. I also run every upload through a virus scanner (clamscan, > for example) before I accept it. > If your PHP backend is windows then you might need to do some research to > find a good file-type detection routine, although the virus scanning should > be possible. > > You certainly cannot trust the client side to do any checking. In any case, > JavaScript doesn't (shouldn't) have access to the file you are trying to > upload, so there's not much you can do there. You might achieve something > client-side with Flash, or a Java uploader applet, I suppose. > > Cheers > Pete > > -- > Peter Ford, Developer phone: 01580 893333 fax: 01580 893399 > Justcroft International Ltd. > www.justcroft.com > Justcroft House, High Street, Staplehurst, Kent TN12 0AH United Kingdom > Registered in England and Wales: 2297906 > Registered office: Stag Gates House, 63/64 The Avenue, Southampton SO17 1XS > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
First
|
Prev
|
Pages: 1 2 Prev: hash problem. Next: [site is acting strange] - blank pages, downloadindex.php, or works fine |