class.upload.php is a powerful and mature PHP class to manage uploaded files, and manipulate images in many ways. The script is available under a GPL license.
ok, i repeat this is a real image, i just change the extention maphoto.jpg by maphoto.exe , when i print_r($_FILE) , it give me [name] => moi2.exe [type] => application/octet-stream , here is the outputt of the class, thx for your help
system information - class version : 0.32 - operating system : Linux - PHP version : 5.4.4-14+deb7u5 - GD version : 2.0 - supported image types : png jpg gif bmp
- upload_max_filesize : 6M (6291456 bytes) - language : fr_FR source is an uploaded file - upload OK - file name OK determining MIME type - Checking MIME type with Fileinfo PECL extension MAGIC path will not be used MIME type detected as image/png; charset=binary by Fileinfo PECL extension - MIME validated as image/png source variables - You can use all these before calling process() file_src_name : moi2.exe file_src_name_body : moi2 file_src_name_ext : exe file_src_pathname : tmp/phpEmpi0c file_src_mime : image/png file_src_size : 177265 (max= 6291456) file_src_error : 0 - source file is an image image_src_x : 646 image_src_y : 652 image_src_pixels : 421192 image_src_type : png image_src_bits : 8 process file to tmp/ - file size OK - file mime OK : image/png - new file name body : b36cf80167217ae1f0251717d4815809 - file name safe format - destination variables file_dst_path : tmp/ file_dst_name_body : b36cf80167217ae1f0251717d4815809 file_dst_name_ext : exe - checking for auto_rename - destination file details file_dst_name : b36cf80167217ae1f0251717d4815809.exe file_dst_pathname : tmp/b36cf80167217ae1f0251717d4815809.exe - b36cf80167217ae1f0251717d4815809.exe doesn't exist already - image resizing or conversion wanted - source image is PNG - setting destination file type to png - crop image : 120 130 120 130 - add border : 3 3 3 3 - converting... - saving image... PNG image created image objects destroyed - process OKReply
i understand but i would like to directly print an error if extention are not jpg jpg png ,i believe its more clear because its more décourageant si an hacker try some bad extention. If he see successfull with an exe , i will continue to try .. don't you think ?!Reply
maphoto.jpg by maphoto.exe , when i print_r($_FILE) , it give me
[name] => moi2.exe [type] => application/octet-stream ,
here is the outputt of the class, thx for your help
system information
- class version : 0.32
- operating system : Linux
- PHP version : 5.4.4-14+deb7u5
- GD version : 2.0
- supported image types : png jpg gif bmp
- upload_max_filesize : 6M (6291456 bytes)
- language : fr_FR
source is an uploaded file
- upload OK
- file name OK
determining MIME type
- Checking MIME type with Fileinfo PECL extension
MAGIC path will not be used
MIME type detected as image/png; charset=binary by Fileinfo PECL extension
- MIME validated as image/png
source variables
- You can use all these before calling process()
file_src_name : moi2.exe
file_src_name_body : moi2
file_src_name_ext : exe
file_src_pathname : tmp/phpEmpi0c
file_src_mime : image/png
file_src_size : 177265 (max= 6291456)
file_src_error : 0
- source file is an image
image_src_x : 646
image_src_y : 652
image_src_pixels : 421192
image_src_type : png
image_src_bits : 8
process file to tmp/
- file size OK
- file mime OK : image/png
- new file name body : b36cf80167217ae1f0251717d4815809
- file name safe format
- destination variables
file_dst_path : tmp/
file_dst_name_body : b36cf80167217ae1f0251717d4815809
file_dst_name_ext : exe
- checking for auto_rename
- destination file details
file_dst_name : b36cf80167217ae1f0251717d4815809.exe
file_dst_pathname : tmp/b36cf80167217ae1f0251717d4815809.exe
- b36cf80167217ae1f0251717d4815809.exe doesn't exist already
- image resizing or conversion wanted
- source image is PNG
- setting destination file type to png
- crop image : 120 130 120 130
- add border : 3 3 3 3
- converting...
- saving image...
PNG image created
image objects destroyed
- process OK
The MIME type as sent by the browser is irrelevant, and cannot be trusted.
Here, your file is an image (even tough you changed the file extension), and the class recognizes it as an image, and therefore can process it.
Isn't what you want?
its more décourageant si an hacker try some bad extention.
If he see successfull with an exe , i will continue to try ..
don't you think ?!
That said, if you want to prevent exe files, you can check on file_src_name_ext before calling process()