1

I'm trying to upload a zip file and a csv file from HTML form.

On PHP, When I printed $_FILES (Actually $request->getFiles() in symfony), I got following.

Array
(
    [zipfile] => Array
        (
            [name] => tempfiles.zip
            [type] => application/octet-stream
            [tmp_name] => C:\wamp\tmp\php5D42.tmp
            [error] => 0
            [size] => 850953
        )
    [csvfile] => Array
        (
            [name] => test.csv
            [type] => application/vnd.ms-excel
            [tmp_name] => C:\wamp\tmp\php5D52.tmp
            [error] => 0
            [size] => 312
        )
)

I'm wondering with the type and tmp_name. I need to take few decisions based on type. Is it safe to take decisions on existing type? Will I get same result for similar files on Linux server?

Again tmp_name have .tmp extension. Is it consistent on both windows/linux? If not, is there any way that the code I write on windows (decision using type) will work on linux without any issue?

Improve this question
2
  • Very related: Security threats with uploads Commented Sep 25, 2012 at 9:40
  • @deceze Sorry but not related. Although I thank you for the good link. I'll definitely go through them in details but my current code code is for admin panel of my site. Thus I'm more concerned about functionality rather than security. Security/best practice is not a question here but making sure it work on both windows/linux. Commented Sep 25, 2012 at 9:48

2 Answers 2

Reset to default
3

Using this type can be dangerous Because user can change the type of the files and can upload a php script.

You should validate the type first just like get_image_size() to validate a image file.I have no idea about .zip file

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for the hint. If image should be tested through get_image_size, zip file can be tested through zip_open().
2

It is not safe to trust the type form $_FILES, you need to validate the file type in server side.

For .tmp extension, it is ok both on windows or linux.

Improve this answer

2 Comments

The tmp_name is not guaranteed to end in .tmp on every system.
@deceze That's true, no matter the extension is, it won't be the problem, anyway, the extension name should not be hardcoded.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.