You are here: Re: [PHP] Uploading and verifying word and excel files « PHP « IT news, forums, messages
Re: [PHP] Uploading and verifying word and excel files

Posted by Mathieu Dumoulin on 10/20/00 11:19

John Nichel wrote:
> Jack Jackson wrote:
> <snip>
>
>> Also, it seems that directories must be blown wide open (777) to allow
>> the script to copy the file over from /tmp. My ISP won't allow
>> directories to be set to 777 under public_html/ -- but we need to
>> access the files via web browser which is the whole point.
>
>
> It shouldn't have to be this way. The webserver should be configured to
> run as your virtual user, or belong to a group which has write
> permission to that directory, or.....I'm getting a bit off track with
> that. This is something you'll have to take up with your ISP.
>
>> So my questions:
>> 1. How do you validate Word and Excel files before upload?
>
>
> Before? JavaScript...if JavaScript can even do it (I haven't touched
> the stuff in ages). After upload, you can check the mime type, but
> that's not foolproof.
>
>> 2. How can I make a passthrough from a file above public_html to one
>> below it so that people can surf in with a browser and download files
>> which have been uploaded by the script?
>
>
> http://us4.php.net/move_uploaded_file
>

Indeed file types are not fool proof, for example windows provide
mime-type based on the file type in your system. Whatever browser the
user has, if you don't have for example acrobat reader installed, all
PDF files will be uploaded as application/octet-stream files.

So in no way should you ever validate a file based on its extension or
on its mime type since 93% of the machines out there use extension to
determine the mime type.

The only virtually failproof way to test for a certain file is using the
header of the file. For example, getimagesize uses the header of the
file to find what type of file it is. I wouln't recommend parsing the
file, imagine someone uploaded a imposing 10 or even 100 mb file. The
only way would be to read the first few characters and compare them with
standard headers in those particular files. This will be an almost
failproof way to see if an uploaded file is of the correct type.

The only 2 drawbacks to this method is:

- 1) Someone with malicious intentions CAN change the header of a file
to force it to look like another type of file. What is the end result i
dare not think about it. It could be used for any kind of hacking or
damaging effect.

- 2) With ever changing versions of WORD and EXCEL, you need to
implement a series of different headers for PC, MAC and even possibly
LINUX if there is a version of these with slightly different headers. So
i makes your code get heavier each year or so.

Mathieu Dumoulin

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация