[TYPO3] PHP help ! does this code look like it would check a file extensions, and disallow php files or exe files to be attached

ries van Twisk typo3 at rvt.dds.nl
Thu Jun 14 15:22:33 CEST 2007 

I would do it the other way around,

allow only the files you can allow and want to have,
and deny the rest. That is more defensive .

Ries

On Jun 14, 2007, at 7:54 AM, Rens Admiraal wrote:

> Hi Dave,
>
> How does this cover executables named file.crap?
>
> Maybe it's better to read the filetype of a file. In this case you
> could use something like the following:
>
> <?php
> 	$disallowed = array(	'application/exe' ,
> 						'application/x-msdos-program',
> 						'application/x-dosexec',
> 						'application/x-exe'
> 	);
>
> 	if (in_array(filetype(t3lib_div::_POST('filename'), $disallowed) {
> 		echo "mime type doesn't work";
> 	} else {
> 		// Rest of the code
> 	}
> ?>
>
> The mime type array is not complete I think, but in my opinion this
> is a better indication if the filetype is allowed or not.
>
> Hope this helps you out a bit ;-)
>
> Greetz
>
> Op 14-jun-2007, om 14:42 heeft dave typo het volgende geschreven:
>
>> I'm trying to  write php that disallows the posting of specific  
>> files,
>> namely php files and exe files
>>
>> if someone could look over this snippet and tell me if it works or
>> not that
>> would be appreciated.
>>
>> <?php
>>
>>
>> $filelinks=t3lib_div::_POST('file_name'); // the posting of the
>> file name
>>
>> $exttypes = "php3,php,exe";                                     //
>> list of
>> extensions that shouldnt be used
>> $fileextension = substr($filelinks,0,strpos($filelinks,"."));     //
>> get the
>> extension after the .
>> if ($fileextension == $exttypes['php']['php3']['exe']) {         //
>> if the
>> file extension equals php, php3, or exe
>>     echo "mime type doesn't
>> work";                                 //if the
>> extension is php, php3, exe, than echo doesn't work
>>     }
>>     if ($fileextension != $extypes['php']['php3']['exe']) {     //
>> if the
>> file extension doesn't equal php, php3, or exe than
>>                                                                 //
>> store the
>> file
>>         $filelinks = $this->storeFile();
>>         }
>>
>> ?>
>>
>>
>> I'm not a programmer, and I'm very new at php so im sure there are
>> errors
>> and stupid logic in my code.
>>
>> It would be greatly appreciated if anyone here could critique and
>> rip apart
>> my code.
>>
>> thank you,
>>
>> -dave
>> _______________________________________________
>> TYPO3-english mailing list
>> TYPO3-english at lists.netfielders.de
>> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english
>
> _______________________________________________
> TYPO3-english mailing list
> TYPO3-english at lists.netfielders.de
> http://lists.netfielders.de/cgi-bin/mailman/listinfo/typo3-english

More information about the TYPO3-english mailing list