[Owasp-boston] Checking file types on upload

Laverty, Patrick Patrick_Laverty at brown.edu
Thu Nov 12 09:31:31 EST 2009


Sorry for all the questions lately, but I'm wondering if someone has
come up with a reliable way to check actual file types when they get
uploaded to a server, preferably with PHP.  We've had some issues where
people uploaded php files with a .jpg or .gif extension, so they slipped
by for a while.

We are turning off php in upload directories, among other security
steps, but I just wanted to see if I could do more than just checking
the file extension.  Looking for that extra layer of security.

Thanks!

Patrick Laverty
Brown University


More information about the Owasp-boston mailing list