Title: PHP security warning
Last modified: August 21, 2016

---

# PHP security warning

 *  Resolved [violacase](https://wordpress.org/support/users/violacase/)
 * (@violacase)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/php-security-warning/)
 * Working with PHP version: 5.4.21 on a local host
 * Admin->comments says in top div:
 * > It seems like your PHP installation is missing “mime_content_type” or “finfo_file”
   > functions which… etc
 * That looks rather odd.
 * [http://wordpress.org/plugins/comment-attachment/](http://wordpress.org/plugins/comment-attachment/)

Viewing 7 replies - 1 through 7 (of 7 total)

 *  Plugin Author [latorante](https://wordpress.org/support/users/latorante/)
 * (@latorante)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/php-security-warning/#post-4466433)
 * Yes, what this means is, that your installation is missing either one of these
   functions, and the PHP won’t be able to determine the filetype using mime-type
   extension … and it can only check the extension itself.
 * Therefore “.jpg” … “.pdf”, etc. But, an interuder can force an excecutable file
   disqusing as jpg for example.
 * So it’s not odd at all, it’s warning for you 🙂
 * Regards,
    Mart
 *  Thread Starter [violacase](https://wordpress.org/support/users/violacase/)
 * (@violacase)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/php-security-warning/#post-4466438)
 * Hi Latorante,
 * I do understand your reply but I can’t understand why a newer version of PHP 
   would miss that basic security. I’m fairly sure that PHP 5.4.x is well built 
   and so default is prepared for nasty attacks.
 * Have a look at [http://www.php.net/manual/en/function.mime-content-type.php](http://www.php.net/manual/en/function.mime-content-type.php)
   
   You’ll see that
 * > mime_content_type
 *  is deprecated.
 *  Thread Starter [violacase](https://wordpress.org/support/users/violacase/)
 * (@violacase)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/php-security-warning/#post-4466441)
 * Follow up:
    Study this: [http://www.php.net/manual/en/function.finfo-file.php](http://www.php.net/manual/en/function.finfo-file.php)
 * BTW: I didn’t mention my opinion about your plugin. Well… I do like it. I can
   think of some extra’s / modifications but basically it’s a nice and usefull plugin.
 * Regards!
 *  Plugin Author [latorante](https://wordpress.org/support/users/latorante/)
 * (@latorante)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/php-security-warning/#post-4466447)
 * Ha, nice one, what are your suggestions,
    let’s make it better!
 * 🙂
 * Mart
 *  Thread Starter [violacase](https://wordpress.org/support/users/violacase/)
 * (@violacase)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/php-security-warning/#post-4466459)
 * [My two cents](http://violacase.nl/comment-attachment-plugin/)
 *  Plugin Author [latorante](https://wordpress.org/support/users/latorante/)
 * (@latorante)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/php-security-warning/#post-4466462)
 * Right on, I’ll just comment on that post here, hope that’s ok.
 * _You shouldn’t allow uploading a file on the front end if you don’t check the
   contents against malicious code/errors/mistakes. You may not rely on the file
   extension._
    That’s the point, I don’t. The only moment the plugin checks for
   only file extension is, **when you’re missing all the PHP file-info functions**
   and it can’t determine that files true type. **Which is exactly your case – you
   lack all the necessary fileinfo functions,** so it has to rely only on file extension.
   Where as if you had those in your PHP, you wouldn’t see the security message,
   and it would check everything. Properly as PHP does.
 * _Implementing error and security handling per file type is a must. If an error
   occurs you must inform the user in a decent manner, i.e. ajaxify the input/output._
   
   Nope, I’m not gonna do that. WordPress itself handles all commenting errors using**
   wp_die**, which is what I do as well, since I’m only extending the form and it’s
   possibilities. My plugin doesn’t restructure the whole process of handeling errors–
   ajaxifying validation etc. There are tons of other plugins for that – my plugin
   only extends the form so people can attach files.
 * _The only visible thing the plugin should show on the front end is a button just
   left of the standard ‘Post Comment’-button below the comment text area. Clicking
   that button could unhide a div or popup a lightbox for handling the attachment
   procedure._
    I disagree again, this plugin isn’t for everybody I guess, since
   it’s very special in it’s functionality, it’s for people who want to attach files
   to their comments regulary, not once a year. So I’m not gonna do this either.
 * Other then that, I just realised you missed the point with your original thread
   here. Thinking it doesn’t check the file itself – as I mentioned, the message
   in the admin – saying you’re lacking those PHP extensions – shows itself only
   if you really lack those. 99% of the people don’t, you’re just one of the few
   🙂
 * Regards,
    Mart
 *  Thread Starter [violacase](https://wordpress.org/support/users/violacase/)
 * (@violacase)
 * [12 years, 4 months ago](https://wordpress.org/support/topic/php-security-warning/#post-4466479)
 * Ok Mart,
 * Since PHP FileInfo functions are enabled by default as of PHP 5.3.0. and my local
   PHP is 5.4.21 I wondered why the plugin didn’t recognize finfo(). Well, it turned
   out that on a Windows machine you must enable it in php.ini by uncommenting the
   line: extension=php_fileinfo.dll
 * Having fixed that and looking at your code I doubt you may rely just on mime 
   types. On the other hand, I don’t think the uploaded files will pass the php 
   processor so perhaps no real harm can happen. I’m not a security expert so I 
   leave further remarks up to them …
 * About the front end: I disagree with you but think it’s better to create a separate
   thread. Things get mixed up a bit.
 * Happy coding!

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘PHP security warning’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/comment-attachment_ab08b8.svg)
 * [Comment Attachment](https://wordpress.org/plugins/comment-attachment/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/comment-attachment/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/comment-attachment/)
 * [Active Topics](https://wordpress.org/support/plugin/comment-attachment/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/comment-attachment/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/comment-attachment/reviews/)

 * 7 replies
 * 2 participants
 * Last reply from: [violacase](https://wordpress.org/support/users/violacase/)
 * Last activity: [12 years, 4 months ago](https://wordpress.org/support/topic/php-security-warning/#post-4466479)
 * Status: resolved