On Aug 20, Wouter Verhelst <w@uter.be> wrote: > > But some sites accept file uploads with arbitrary names, perhaps > > expected to be a JPEG image, but actually named bar.php.jpeg and > > containing malicious server-side PHP which they could execute from the > > browser. > Don't Do That Then(TM). I see that you are not in the web hosting business. <g> Millions of web sites do this, so now matter how a bad practice this is (and I agree that it is) we need to do everything possible to work around insecure web sites. Also, we are talking about PHP: if educating developers were possible, they would not use PHP in the first place. > The right solution to this problem is instead to write your upload > scripts so that they True. But you do not dictate solutions to the 16 year old "webmaster" who happens to be the cousin of your customer. -- ciao, Marco
Attachment:
signature.asc
Description: Digital signature