Posted by shimmyshack on 02/20/07 03:13

On 20 Feb, 00:42, bill <n...@noreturn.f9.co.uk> wrote:
> Can anyone help. I am using the following code to check that jpg image
> only can be uploaded
>
> if ($_FILES['userfile']['type'] != 'image/jpeg')
> {
> $msg = 'Problem: file is not jpg';
> }
>
> when uploading a jpg or jpeg this works fine in firefox but when i try
> to upload a jpg using internet explorer an error is produced saying that
> it is not a jpg when in fact it is.
> Can anyone help
> Thanks
> bill

This is because the browser can lie about what it is sending you, are
you sure you have the correct html form encoding:
enctype="multipart/form-data"
see here:
http://www.w3.org/TR/device-upload

you can also set the mime type in the input field itself to specify
images, separated with a space AFAIK - details at the UTL above.

However you still need to implement checking server-side, most do
this, but trying to get the size of the image using the GD library,
and also perhaps trying to extract the thumbnail and showing that (if
present) as a quick way to show your user feedback.

One thing though, don't assume that because it is an image, that it's
safe, use good security practises:
proper "no execute" permissions,
forcetype image/jpeg for the jpeg images directory
parse the image for embedded php code, and erase it if present
if the image is to be public, then you _must_ pretect your server, if
it is not public, then store it where it cannot be accessed via a URL.
I only mention this because a couple of well chosen lines of php
embedded in any image on an unprotected server can give server-wise
access to the person who uploads the image, and knows where to find it
via a URL afterwards.

[Back to original message]