Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

PHP File Upload #27

Closed
kieranmenor opened this Issue · 3 comments

4 participants

kieranmenor Chris “Kwpolska” Warrick Paul Irish Jonathan Garbee
kieranmenor

On http://www.w3schools.com/php/php_file_upload.asp in the "Restrictions on Upload" section, they are relying on $_FILES["file"]["type"] to determine the file type, making it appear safe. This is far from the truth, however, as $_FILES["file"]["type"] contains the MIME type provided by the client browser. By forging the Content-Type header in the HTTP request to contain one of the whitelisted types, you can upload any file to the server. This means that you can upload and most likely execute e.g. PHP scripts, with potentially devastating results.

Chris “Kwpolska” Warrick

Please fork the repo or use GitHub’s Fork&Edit (see the GH blog) and add it in.

Paul Irish
Owner

Thanks Kwpolska. :)

what he said ^_^

also w3schools now has a handy bug reporting form at the button.. you should also say this there.

Jonathan Garbee
Collaborator

We have decided to not handle server-side technology sections on W3fools.

Jonathan Garbee Garbee closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.