Freelancers Network
 
skill list top cap
Homepage
Join the Freelancer's Network
Update your details
Find a freelancer
Post a project
Find a project
Projects Archive
Post a job
Find a job
Jobs Archive
See Dan's Pages
See Andy's Pages
Link to this site
Resources
Join/Leave Forum
Forum Messages
+Additions+ Adverts
Advertising
Contact Us
Subscribe to our newsletter - enter your email address and hit return
Freelancers.net is owned and operated by Andy Stowell and Dan Winchester
skill list end cap
guru web hostcom

Find me again on Freelancers.net

RE: FN-FORUM: file size /type best practice

date posted 29th January 2007 17:54

[EMAIL REMOVED] wrote:
>> Probably being ignorant here, but without using a Java app/flash
>> object (not sure on flash) to manage the file upload I didn't think
>> you had access to the size of the file until the form had completed
>> submission.
>>
>
> Yeah that's the impression I'm under too, but was hoping I would be
> wrong
>
> D

True in (out of the box) PHP afaik since PHP processes the uploaded file
into the temp directory before your script even gets called (same reason you
can't set max upload size ini setting on the fly in your script), however if
you have direct access to the request e.g. when handling CGI raw in Perl you
should be able to discover the size of the request at the beginning and
hence decide if you want to accept the file (provided the client provides
this info, but I believe most do).

This is also why most upload progress bars for PHP are actually implemented
in perl CGI and hooked back to PHP via a unique upload ID to allow checking
of progress from PHP and handling of the resulting upload by a PHP script.

So the short answer is no way to check file before it is uuploaded to server
in "native" PHP (reason I keep qualifying that is that I have seen a
modified source version of PHP that does it but good luck using that on a
server you don't have 100% control of).

Wrt the discussions about type, certain file types (e.g. images) you may be
able to check directly but without an armoury of proprietary libraries most
file uploads you have to trust the extension.

I am not a security expert, but it seems to me that how big an issue this is
depends on the purpose of the files. If the files will only ever be made
available through the same website then extension is what matters anyway as
this is how the webserver will determine mime type to deliver back when the
file is later requested. An executable uploaded as .gif and then accessed
via the same web server will not execute aty the browser, as it will be
served to the browser as image/gif mime type (assuming standard set-up).

Where there is an issue is if the file will be used elsewhere that it's
fundamental nature as an exe may cause issues. Also I suppose it may be a
first step on a multi-step hack if the hacker could subsequently rename the
file somehow or change web server config.

Regards,

Dai

Messages by Day
January 31st 2007
January 30th 2007
January 29th 2007
January 28th 2007
January 27th 2007
January 26th 2007
January 25th 2007
January 24th 2007
January 23rd 2007
January 22nd 2007
January 21st 2007
January 20th 2007
January 19th 2007
January 18th 2007
January 17th 2007
January 16th 2007
January 15th 2007
January 14th 2007
January 13th 2007
January 12th 2007
January 11th 2007
January 10th 2007
January 9th 2007
January 8th 2007
January 7th 2007
January 6th 2007
January 5th 2007
January 4th 2007
January 3rd 2007
January 2nd 2007
January 1st 2007


Messages by Month
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
March 2007
January 2007


Messages by Year
2008
2007
2006
2005
2004
2003
2002
2001
2000