SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Evangelist
    Join Date
    Dec 2006
    Posts
    430
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Uploading Documents

    Hi Guys,

    i'm going to allow users to upload files, i.e .doc and .pdf type documents, i know how to code the uploading aspect of it, it's what to do in regards to checking the uploaded files, should i check the extensions or mime types would you say?

    cheers for any advice

    Graham

  2. #2
    SitePoint Addict Wildhoney's Avatar
    Join Date
    Apr 2006
    Location
    Nottingham
    Posts
    246
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'd check the extension. Relying on the MIME type passed with the upload is very insecure.
    TalkPHP.com - The Friendly PHP Community

    Watch Reaper Online - Watch Chuck Online

  3. #3
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,786
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Placing .doc files on the web can produce a major privacy breach. Anyone who knows how can see not only the current version of the document but also all prior versions of the document along with who has edited it. I remeber reading about a supposedly independed survey on smoking that was uploaded to the web as a word doc. The content clearly showed that most of the work on the document was done by people employed at a particular tobacco company.

    The easiest way to strip all this private info out of a word doc is to convert it to a pdf.

    The easiest way to validate that a file is a PDF is to check that the content of the file starts with %PDF-
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  4. #4
    SitePoint Wizard silver trophybronze trophy Stormrider's Avatar
    Join Date
    Sep 2006
    Location
    Nottingham, UK
    Posts
    3,133
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Check both, then if you are on unix, use the `file` shell command to check that aspect, then check contents if you like. No reason to not check everything you can about something...

  5. #5
    SitePoint Evangelist
    Join Date
    Dec 2006
    Posts
    430
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Guys,

    yep i'm on a unix system, thanks for the input guys i think i know how i'm going to approach it now.

    cheers

    Graham


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •