From: =?UTF-8?Q?Hans_=C3=85hlin?= on
**********************************************
Hans Åhlin
Tel: +46761488019
icq: 275232967
http://www.kronan-net.com/
irc://irc.freenode.net:6667 - TheCoin
**********************************************


2010/7/30 Pete Ford <pete(a)justcroft.com>

> On 29/07/10 19:10, tedd wrote:
>
>> At 9:50 AM -0700 7/29/10, Don Wieland wrote:
>>
>>> I am trying to create an UPLOAD form and need to figure a way to only
>>> allow PDF files to be selected.
>>>
>>
>> The short answer is you can't -- not from php. You can create a standard
>> form and upload it from there, but you don't have control over file type..
>>
>> So you can't stop people from uploading anything to your site via the
>> form, but you can look at the document once it's there and inspect it.
>> Using a HEX Editor, I see that most pdf file have the first four bytes
>> as "%PDF" so you might check that before moving the file to somewhere
>> important. But that doesn't stop spoofing.
>>
>>
The pdf files also ends with "startxref [some numbers] %%EOF"


> Other than that, I can't see any way to do it.
>>
>> Cheers,
>>
>> tedd
>>
>
> Second what tedd says, with a bit more: on a Linux backend system I run
> uploaded files through the 'file' command with a decent magic file to detect
> the file type. I also run every upload through a virus scanner (clamscan,
> for example) before I accept it.
> If your PHP backend is windows then you might need to do some research to
> find a good file-type detection routine, although the virus scanning should
> be possible.
>
> You certainly cannot trust the client side to do any checking. In any case,
> JavaScript doesn't (shouldn't) have access to the file you are trying to
> upload, so there's not much you can do there. You might achieve something
> client-side with Flash, or a Java uploader applet, I suppose.
>
> Cheers
> Pete
>
> --
> Peter Ford, Developer phone: 01580 893333 fax: 01580 893399
> Justcroft International Ltd.
> www.justcroft.com
> Justcroft House, High Street, Staplehurst, Kent TN12 0AH United Kingdom
> Registered in England and Wales: 2297906
> Registered office: Stag Gates House, 63/64 The Avenue, Southampton SO17 1XS
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>