John Davidson

php - Is verifying a file's extension enough to know that the file isn't hiding a virus (or something that can infiltrate my server)?

0 comments
Message:


I'm developing a system where the user will be able to upload a ".docx" file. Is verifying it's extension enough to know that this ".docx" file isn't infected?


Here's my upload PHP code:


<?php

session_start();



include("connection.php");

include("functions.php");



// Just to validate the user

$user_data = check_login($con);



include("connectionPostsDB.php");



if (isset($_POST['submit'])){



    $title = $_POST['title'];

    $tag = $_POST['tag'];

    $description = $_POST['description'];



    $file = $_FILES['file'];



    $fileName = $_FILES['file']['name'];

    $fileTmpName = $_FILES['file']['tmp_name'];

    $fileSize = $_FILES['file']['size'];

    $fileError = $_FILES['file']['error'];

    $fileType = $_FILES['file']['type'];



    $fileExt = explode('.', $fileName);

    $fileActualExt = strtolower(end($fileExt)); //here I get the actual file's extension (I hope xD)



    $allowed = array('docx');



    if(in_array($fileActualExt, $allowed)){

        if($fileError === 0){

            if($fileSize < 1000000){

                $fileNameNew = uniqid('', true).".".$fileActualExt;

                $fileDestination = '../imgs/posts/'.$fileNameNew;

                move_uploaded_file($fileTmpName, $fileDestination);



                $query = "INSERT INTO posts (title, descr, imgname, tag) 

                          VALUES ('".$title."','".$description."','".$fileNameNew."','".$tag."')";



                mysqli_query($postcon, $query);



                echo 'File successfully uploaded';

            }

            else {

                echo 'Your file is too big.';

            }

        }

        else {

            echo 'There was an error uploading your file.';

        }

    }

    else {

        echo 'This type of file not allowed.';

    }



}

So, me checking for the file's extension is enough to prevent some user to put some php code in my server (or do something to get information from the server)?


My Answer:
possible in PHP?

Yes, it is possible to verify a file in PHP by checking its properties such as file size, file type, file extension, and file content. This can be done using functions like `filesize()`, `pathinfo()`, `mime_content_type()`, and `file_get_contents()`. Additionally, you can also use hashing algorithms like MD5 or SHA1 to verify the integrity of a file by comparing its hash value with a known hash value.

Rate this post

3 of 5 based on 2911 votes

Comments



© 2024 Hayatsk.info - Personal Blogs Platform. All Rights Reserved.
Create blog  |  Privacy Policy  |  Terms & Conditions  |  Contact Us