- Php – How to check for corrupted DOC and PDF files stored on the server with PHP?
- Best Solution
- Related Solutions
- TL;DR
- Don’ts
- Dos
- Why hash passwords anyway?
- What makes a good password anyway?
- Best practices
- Average practices
- Future Practices
- Cryptography Recap & Disclaimer
- PHP: How to check if gz file is corrupt?
- Answer by Clarissa Bravo
- Answer by Remington Daniels
- Answer by Piper Fletcher
- Answer by Briella Henderson
- Answer by Tiffany Vasquez
Php – How to check for corrupted DOC and PDF files stored on the server with PHP?
It’s difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.
I have a project about creating file uploading website for my university using PHP.
For every uploaded file, the website must check if the uploaded file is corrupted or not.
I’ve been searching for and found nothing.
Best Solution
For Checking whether PDF file is corrupted or not.
Read first five byte of the PDF file. If the string read is %PDF- , then file is not corrupted else corrupted.
Explanation: Open any non-corrupted file with notepad++, you will notice that the first five byte of the opened file equal following sub-string «%PDF-«. This is nothing but header format for a valid PDF file and we can take it advantage to test whether the file is corrupted or not.
For Checking whether .docx file is corrupted or not
DOCX files are in ZIP format, in which the first two bytes are the letters PK (after ZIP’s creator, Phil Katz).
fseek($fp, 0); $data = fread($fp, 2); // read 2 bytes from byte 0 if(strcmp($data,"PK")==0) < echo "The docx File is not Corrupted."; >else
Related Solutions
Proper MIME media type for PDF files
The standard Media Type (formerly known as MIME types) is application/pdf . The assignment is defined in RFC 3778, The application/pdf Media Type, referenced from the Media Types registry.
Media Types are controlled by a standards body, The Internet Assigned Numbers Authority (IANA). This is the same organization that manages the root name servers and the IP address space.
The use of x-pdf predates the standardization of the Media Type for PDF. Media Types in the x- namespace are considered experimental, just as those in the vnd. namespace are considered vendor-specific. x-pdf might be used for compatibility with old software.
Php – Secure hash and salt for PHP passwords
DISCLAIMER: This answer was written in 2008.
Since then, PHP has given us password_hash and password_verify and, since their introduction, they are the recommended password hashing & checking method.
The theory of the answer is still a good read though.
TL;DR
Don’ts
- Don’t limit what characters users can enter for passwords. Only idiots do this.
- Don’t limit the length of a password. If your users want a sentence with supercalifragilisticexpialidocious in it, don’t prevent them from using it.
- Don’t strip or escape HTML and special characters in the password.
- Never store your user’s password in plain-text.
- Never email a password to your user except when they have lost theirs, and you sent a temporary one.
- Never, ever log passwords in any manner.
- Never hash passwords with SHA1 or MD5 or even SHA256! Modern crackers can exceed 60 and 180 billion hashes/second (respectively).
- Don’t mix bcrypt and with the raw output of hash(), either use hex output or base64_encode it. (This applies to any input that may have a rogue \0 in it, which can seriously weaken security.)
Dos
- Use scrypt when you can; bcrypt if you cannot.
- Use PBKDF2 if you cannot use either bcrypt or scrypt, with SHA2 hashes.
- Reset everyone’s passwords when the database is compromised.
- Implement a reasonable 8-10 character minimum length, plus require at least 1 upper case letter, 1 lower case letter, a number, and a symbol. This will improve the entropy of the password, in turn making it harder to crack. (See the «What makes a good password?» section for some debate.)
Why hash passwords anyway?
The objective behind hashing passwords is simple: preventing malicious access to user accounts by compromising the database. So the goal of password hashing is to deter a hacker or cracker by costing them too much time or money to calculate the plain-text passwords. And time/cost are the best deterrents in your arsenal.
Another reason that you want a good, robust hash on a user accounts is to give you enough time to change all the passwords in the system. If your database is compromised you will need enough time to at least lock the system down, if not change every password in the database.
Jeremiah Grossman, CTO of Whitehat Security, stated on White Hat Security blog after a recent password recovery that required brute-force breaking of his password protection:
Interestingly, in living out this nightmare, I learned A LOT I didn’t know about password cracking, storage, and complexity. I’ve come to appreciate why password storage is ever so much more important than password complexity. If you don’t know how your password is stored, then all you really can depend upon is complexity. This might be common knowledge to password and crypto pros, but for the average InfoSec or Web Security expert, I highly doubt it.
What makes a good password anyway?
Entropy. (Not that I fully subscribe to Randall’s viewpoint.)
In short, entropy is how much variation is within the password. When a password is only lowercase roman letters, that’s only 26 characters. That isn’t much variation. Alpha-numeric passwords are better, with 36 characters. But allowing upper and lower case, with symbols, is roughly 96 characters. That’s a lot better than just letters. One problem is, to make our passwords memorable we insert patterns—which reduces entropy. Oops!
Password entropy is approximated easily. Using the full range of ascii characters (roughly 96 typeable characters) yields an entropy of 6.6 per character, which at 8 characters for a password is still too low (52.679 bits of entropy) for future security. But the good news is: longer passwords, and passwords with unicode characters, really increase the entropy of a password and make it harder to crack.
There’s a longer discussion of password entropy on the Crypto StackExchange site. A good Google search will also turn up a lot of results.
In the comments I talked with @popnoodles, who pointed out that enforcing a password policy of X length with X many letters, numbers, symbols, etc, can actually reduce entropy by making the password scheme more predictable. I do agree. Randomess, as truly random as possible, is always the safest but least memorable solution.
So far as I’ve been able to tell, making the world’s best password is a Catch-22. Either its not memorable, too predictable, too short, too many unicode characters (hard to type on a Windows/Mobile device), too long, etc. No password is truly good enough for our purposes, so we must protect them as though they were in Fort Knox.
Best practices
Bcrypt and scrypt are the current best practices. Scrypt will be better than bcrypt in time, but it hasn’t seen adoption as a standard by Linux/Unix or by webservers, and hasn’t had in-depth reviews of its algorithm posted yet. But still, the future of the algorithm does look promising. If you are working with Ruby there is an scrypt gem that will help you out, and Node.js now has its own scrypt package. You can use Scrypt in PHP either via the Scrypt extension or the Libsodium extension (both are available in PECL).
I highly suggest reading the documentation for the crypt function if you want to understand how to use bcrypt, or finding yourself a good wrapper or use something like PHPASS for a more legacy implementation. I recommend a minimum of 12 rounds of bcrypt, if not 15 to 18.
I changed my mind about using bcrypt when I learned that bcrypt only uses blowfish’s key schedule, with a variable cost mechanism. The latter lets you increase the cost to brute-force a password by increasing blowfish’s already expensive key schedule.
Average practices
I almost can’t imagine this situation anymore. PHPASS supports PHP 3.0.18 through 5.3, so it is usable on almost every installation imaginable—and should be used if you don’t know for certain that your environment supports bcrypt.
But suppose that you cannot use bcrypt or PHPASS at all. What then?
Try an implementation of PDKBF2 with the maximum number of rounds that your environment/application/user-perception can tolerate. The lowest number I’d recommend is 2500 rounds. Also, make sure to use hash_hmac() if it is available to make the operation harder to reproduce.
Future Practices
Coming in PHP 5.5 is a full password protection library that abstracts away any pains of working with bcrypt. While most of us are stuck with PHP 5.2 and 5.3 in most common environments, especially shared hosts, @ircmaxell has built a compatibility layer for the coming API that is backward compatible to PHP 5.3.7.
Cryptography Recap & Disclaimer
The computational power required to actually crack a hashed password doesn’t exist. The only way for computers to «crack» a password is to recreate it and simulate the hashing algorithm used to secure it. The speed of the hash is linearly related to its ability to be brute-forced. Worse still, most hash algorithms can be easily parallelized to perform even faster. This is why costly schemes like bcrypt and scrypt are so important.
You cannot possibly foresee all threats or avenues of attack, and so you must make your best effort to protect your users up front. If you do not, then you might even miss the fact that you were attacked until it’s too late. and you’re liable. To avoid that situation, act paranoid to begin with. Attack your own software (internally) and attempt to steal user credentials, or modify other user’s accounts or access their data. If you don’t test the security of your system, then you cannot blame anyone but yourself.
Lastly: I am not a cryptographer. Whatever I’ve said is my opinion, but I happen to think it’s based on good ol’ common sense . and lots of reading. Remember, be as paranoid as possible, make things as hard to intrude as possible, and then, if you are still worried, contact a white-hat hacker or cryptographer to see what they say about your code/system.
Related Question
PHP: How to check if gz file is corrupt?
Is there any way to detect if a gz file is corrupt in PHP?, Is there a way to find out what that construct’s objectives are? , Stack Overflow for Teams Where developers & technologists share private knowledge with coworkers , Recovering data from a formatted USB Pendrive which was encrypted
If you can use linux gzip command it will be very simply to find if file is wrong or not. gzip -t will display no message if file is valid.
Answer by Clarissa Bravo
If you can use the linux gzip command, it will be very easy to find if the file is incorrect or not. gzip -t will not display a message if the file is valid.,How to read only in every second line of the file? — python,Is there a way to determine if the gz file is corrupted in PHP?,I read the whole file because I did not find a working path for reading the file line by line, not knowing the size of the longest line, which led (in some cases) to lines that were not completed.
I am currently using http://www.php.net/manual/de/function.gzread.php#110078 to determine the file size and read the entire * file through
$zd = gzopen ( $file, "r" ); $contents = gzread ( $zd, $fzip_size ); gzclose ( $zd );
Answer by Remington Daniels
Currently, i’m running the scripts locally, so i’ve checked the actual file and opens fine, but like i said, the downloaded version is always corrupt.,I’ve tried various different combinations of headers force the download of a tar.gz file. I’ve also tried copying the file and forcing the download of the copied file after opening and closing it.,Ignore my previous post, your code does work. It must be something prior to the download, etc which is causing the issue.,There was a legacy script which was causing issues. I ‘solved’ the issue using output buffering.
$tarfile = new Archive_Tar( /* absolute path to tar location */ ); if( $tarfile->create( $files ) ) < header('Content-disposition: attachment; filename=' . basename( /* absolute path to tar location */ ) ); header('Content-type: application/x-gzip'); readfile( self::EXPORT_DIRECTORY . basename( /* absolute path to tar location */ ) ); unlink( self::EXPORT_DIRECTORY . basename( /* absolute path to tar location */ ) ); >else
Answer by Piper Fletcher
Thanks for contributing an answer to Unix & Linux Stack Exchange!, Unix & Linux help chat , Stack Exchange network consists of 178 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. , About Us Learn more about Stack Overflow the company
What you could do is use file to identify the type of the file, and then use the type to choose an appropriate program to check the file. You could write a script like this:
# /bin/bash -eu FILENAME=$1 FILETYPE="$(file -b $FILENAME | head -1 | cut -d , -f 1)" case "$FILETYPE" in "gzip compressed data") CHECKER="gunzip -t" ;; # many, many more lines here *) echo "Unknown type: $FILETYPE"; exit 1 ;; esac $CHECKER $FILENAME
Answer by Briella Henderson
Using the gunzip test option,See How to check if a Unix .tar.gz file is a valid file without uncompressing ,I must find a way to check their integrity without unzipping them, as they are way too big. Using Python can be an option.,The gzip utility has a ‘-t’ option which tests file integrity without bothering to unpack the file. That’ll tell you if gzip thinks the file is OK.
Using the gunzip test option