Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I read other questions about subject. I know what I should not rely on.
I check file name with basename function and replce dots (except last one). Then i get file extension with explode function and check it with a blacklist defined by me. My question is; why any other control is necessary? Even if it is a malicious php code, (afaik) it will not be executed because of its extension is not php. There are already file size limitations in php settings. So, why?
There are 1000 answers why not, but imagine the following: I could upload a .htaccess file to make some other extensions being handled by PHP, thus I would be able to get around your “only .php files are executable”. An very easy one 🙂