PHP File Upload #27

Closed
kieranmenor opened this Issue Apr 28, 2011 · 3 comments

4 participants

@kieranmenor

On http://www.w3schools.com/php/php_file_upload.asp in the "Restrictions on Upload" section, they are relying on $_FILES["file"]["type"] to determine the file type, making it appear safe. This is far from the truth, however, as $_FILES["file"]["type"] contains the MIME type provided by the client browser. By forging the Content-Type header in the HTTP request to contain one of the whitelisted types, you can upload any file to the server. This means that you can upload and most likely execute e.g. PHP scripts, with potentially devastating results.

@Kwpolska

Please fork the repo or use GitHub’s Fork&Edit (see the GH blog) and add it in.

@paulirish
Owner

Thanks Kwpolska. :)

what he said ^_^

also w3schools now has a handy bug reporting form at the button.. you should also say this there.

@Garbee
Collaborator

We have decided to not handle server-side technology sections on W3fools.

@Garbee Garbee closed this Mar 4, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment