Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New Coder
    Join Date
    Mar 2008
    Posts
    92
    Thanks
    19
    Thanked 0 Times in 0 Posts

    Most secure way to check uploaded file size and type

    Hi, when letting users upload files, what is the most secure way to make sure the file type is ok, and the size is not bigger than what you want?

    Currently when checking file type I do something like:

    PHP Code:
    $file_name $_FILES['image']['name'];
    $type strrev(substr(strrev($file_name), 0,
    strpos(strrev($file_name), '.'))); 
    To check size I just use:

    PHP Code:
    $size_used $_FILES["myfile"]["size"
    Are these fairly secure? I read something that said you should not trust the mime type. Is this just:
    PHP Code:
    $_FILES["myfile"]["type"
    ??

    Thanks

  • #2
    Codeasaurus Rex
    Join Date
    Jun 2008
    Location
    Redmond, WA
    Posts
    660
    Thanks
    31
    Thanked 100 Times in 94 Posts
    The only other way I know of to get the data is only available after you upload the file - which really defeats the purpose.

    I'm sure someone else here as an ingenious way of detecting it pre-upload, Javascript/AJAX for example, but I've personally never had an issue with the method you posted.

    So my advice: Stay tuned to this thread in case someone has insight. In the meantime, though, I think it's safe to roll the dice while you wait.
    Unless otherwise stated, any code posted is most likely untested and may contain syntax errors.
    My posts, comments, code, and suggestions reflect only my personal views.
    Web Portfolio and Code Snippets: http://shanechism.com

  • Users who have thanked ShaneC for this post:

    spetsacdc (07-20-2008)

  • #3
    New Coder
    Join Date
    Mar 2008
    Posts
    92
    Thanks
    19
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by ShaneC View Post
    The only other way I know of to get the data is only available after you upload the file - which really defeats the purpose.

    I'm sure someone else here as an ingenious way of detecting it pre-upload, Javascript/AJAX for example, but I've personally never had an issue with the method you posted.

    So my advice: Stay tuned to this thread in case someone has insight. In the meantime, though, I think it's safe to roll the dice while you wait.
    Hey, thanks for the info. I did more searching and it seems like the only unsafe thing to use is $_FILES["myfile"]["type"] , I think $_FILES["myfile"]["size"] is safe. I also think it is safe to use $_FILES["myfile"]["name"] and check the string after the last "." for the extension...

    Oh and I wish I could check size before uploading it, but I gave up on that a long time ago since I read javascript can't do it.

    I really wanted to use a PERL script because I think those can check the size before hand, and I know they can do a progress bar. However, I don't know enough PERL to modify a script to meet my needs.

    Thanks again


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •