|
|
Posted by shimmyshack on 02/20/07 11:28
On 20 Feb, 09:30, bill <n...@noreturn.f9.co.uk> wrote:
> bill wrote:
> > Can anyone help. I am using the following code to check that jpg image
> > only can be uploaded
>
> > if ($_FILES['userfile']['type'] != 'image/jpeg')
> > {
> > $msg = 'Problem: file is not jpg';
> > }
>
> > when uploading a jpg or jpeg this works fine in firefox but when i try
> > to upload a jpg using internet explorer an error is produced saying that
> > it is not a jpg when in fact it is.
> > Can anyone help
> > Thanks
> > bill
>
> I have tried the array approach and it still says image is not a jpg.
> I have a javascript that only allows jpg and this works ok and only
> allows jpg to the server but the server still says its not a jpg. Here
> is the code from the form.
> <form enctype="multipart/form-data" action="picture.php" name="frmpic"
> method=post onsubmit="return ExtensionsOkay();">
> <input type="hidden" name="MAX_FILE_SIZE" value="20000">
> Upload image file: <input name="userfile" type="file">
> <input type="submit" value="Send File" name="upload">
> </form>
>
> $img_types = array('image/jpeg','image_jpg');
> if (!in_array($_FILES['userfile']['type'],$img_types))
> {
> $msg = 'Problem: file is not jpg';
> }
> How can it say that it is not a jpg when it is and works ok in firefox.
Have you checked to see what the value actually _is_, I am not sure if
my last post worked but you will find that the browser lies.
Install fiddler and watch the headers for yourself and see, so your
whole approach is flawed, because some of your users will find this a
show stopper, not many, but a significant few.
Instead, dont trust the messenger, or in this case IE, simply get the
file's width and height, and if it aint got none, it aint an image.
Then check for executable code embedded inside.
I mean what exactly are you checking to see if is an image for? There
are ico, bmp, tiff. wmf and a whole lot of other images.
If you are checking "so that its safe" then good luck, that wont work,
if you're "checking so it can be put it into a folder called images"
then good luck with that too, instead put stuff up on the server into
a folder where the sun doesn't shine, scan for viruses, and the move
the uploaded file based on what its properties are.
My $0.02.
Navigation:
[Reply to this message]
|