quote:
Originally posted by Segosa
Can I just add a question while we're on the subject of uploading:
The mime-type is sent by the browser in the headers before the file is sent, or is it stored inside the file somehow? The reason I ask this is that if it's sent by the browser it is possible to fake it, and so upload a .php file pretending to be image/png or something else because only the mime-types are checked...
in order to upload the .php file as an image as you are describing, a setting in apache would need to be changed in the mime.types file.
quote:
Originally posted by WDZ
I'd probably do something like this...
code:
$types = array("image/gif", "image/pjpeg", "image/bmp", "video/mpeg", "video/x-msvideo", "image/png", "application/x-shockwave-flash");
if(in_array($HTTP_POST_FILES['file']['type'], $types)) {
thanks.
