PHP Classes

prevent gif injection

Recommend this page to a friend!

      PHP Classes blog  >  PHP security exploit ...  >  All threads  >  prevent gif injection  >  (Un) Subscribe thread alerts  
Subject:prevent gif injection
Summary:another way to prevent it
Messages:1
Author:Martin Dimitrov
Date:2011-10-21 21:54:22
Update:2011-10-21 22:23:20
 

  1. prevent gif injection   Reply   Report abuse  
Picture of Martin Dimitrov Martin Dimitrov - 2011-10-21 22:23:20
Hi guys,

There is another way to prevent a gif injection. That's the regex expression check. I'll give you short example of that and the thing you have to pay attention!

example:

<?php

// example one - with the symbols ^ and $ in the pattern, IMPORTANT!

$string = "someImage.gif.php";

if(preg_match("/^[\w\d]+\.(gif|jpg|JPG)$/",$string))
{
// will return FALSE
}


// example two - same pattern WITHOUT the symbols ^ and $


$string = "someImage.gif.php";

if(preg_match("/[\w\d]+\.(gif|jpg|JPG)/",$string))
{
// will return TRUE and that's bad...
}


?>


Did you see the difference in the patterns? If you decide to use this approach you have to pay attention for the ^ and $ symbols that meaning "from the beginning to the end of the string", and that checks if the string (file name) contains exactly these characters and symbols NOT else, otherwise return FALSE.

I hope was helpful.

p.s. I'm new in the site and I really like it!