Posted by Schraalhans Keukenmeester on 06/11/07 15:46

At Mon, 11 Jun 2007 11:02:56 +0200, iktorn let h(is|er) monkeys type:

> Schraalhans Keukenmeester wrote:

>> You'll have to test for extension first, and then assert what's sent
>> actually is what it claims to be. A safe way would be to apply the
>> appropriate imagecreatefrom(jpg|gif|bmp|png) etc functions provided by the
>> gd library.
>
> Much better way imho is to use getimagesize
> (http://pl2.php.net/manual/en/function.getimagesize.php)
> to check if its a valid image file.
>
> Additionally you can check extension of uploaded file.

I haven't been able to test if the getimagesize() function can be fooled
easily. If not, it's probably quicker than using imagecreatefromFORMAT()
and therefor a better choice indeed. Great suggestion, it's the PHP manual
suggested way of checking for valid images I noticed. It doesn't give much
explanation though.


--
Schraalhans Keukenmeester - schraalhans@the.Spamtrapexample.nl
[Remove the lowercase part of Spamtrap to send me a message]

"strcmp('apples','oranges') < 0"

[Back to original message]